Harold Kim

**Name of the Vulnerable Software and Affected Versions** PukiWiki versions 1.5.1 through 1.5.3 **Description** A reflected cross-site scripting issue allows a remote attacker to inject an arbitrary script via unspecified vectors. **Recommendations** For PukiWiki versions 1.5.1 through 1.5.3, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PukiWiki versions 1.4.5 to 1.5.3 **Description** A path traversal issue allows a remote authenticated attacker with administrative privileges to execute a malicious script. The attack vector is not specified. **Recommendations** For PukiWiki versions 1.4.5 to 1.5.3, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Adminer versions 4.6.1 through 4.8.0 **Description** A cross-site scripting issue affects users of MySQL, MariaDB, PgSQL, and SQLite. This issue is mostly prevented by strict Content Security Policy (CSP) in modern browsers, except when Adminer uses a `pdo ` extension to communicate with the database. The vulnerability can be exploited in browsers without CSP. **Recommendations** For versions 4.6.1 through 4.8.0, update to version 4.8.1 to resolve the issue. As a temporary workaround, consider using a browser that supports strict CSP. Enable the native PHP extensions (e.g., `mysqli`) to prevent exploitation. Disable displaying PHP errors (`display errors`) as an additional precaution.

**Name of the Vulnerable Software and Affected Versions** Git versions prior to 2.30.1 **Description** The issue is related to the git connect git function in the connect.c component of the Git distributed version control system. It allows a repository path to contain a newline character, which may result in unexpected cross-protocol requests. This is demonstrated by the git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1 substring. **Recommendations** For Git versions prior to 2.30.1, update to version 2.30.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the git connect git function in the connect.c component until a patch is available. Avoid using repository paths that contain newline characters in the affected API endpoint until the issue is resolved.