Laluka

**Name of the Vulnerable Software and Affected Versions** Danswer versions prior to 3.63 **Description** Danswer, the AI Assistant connected to a company's documents, applications, and people, is vulnerable to unauthorized access to GET/SET of Slack Bot Tokens. This vulnerability allows anyone with network access to steal and set Slack bot tokens, leading to the full compromise of the customer's Slack bot and internal Slack access. **Recommendations** For versions prior to 3.63, update to version 3.63 or later to resolve the issue. As a temporary workaround, consider restricting network access to the Danswer AI Assistant to minimize the risk of exploitation. Additionally, restrict access to the Slack Bot Tokens to prevent unauthorized GET/SET operations.

**Name of the Vulnerable Software and Affected Versions** Spip Web Framework versions v3.1.13 and earlier **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities in the /spip.php component of Spip Web Framework. This allows attackers to execute arbitrary web scripts or HTML. **Recommendations** For Spip Web Framework versions v3.1.13 and earlier, update to a version later than v3.1.13 to resolve the issue. As a temporary workaround, consider restricting access to the /spip.php component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Spip versions prior to 3.2.8 **Description** A PHP injection issue allows attackers to execute arbitrary PHP code via the ` oups` parameter at the "/ecrire" API endpoint. **Recommendations** For versions prior to 3.2.8, update to version 3.2.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/ecrire" API endpoint to minimize the risk of exploitation. Avoid using the ` oups` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Spip Web Framework versions v3.1.13 and earlier **Description** The issue concerns multiple SQL injection vulnerabilities. These vulnerabilities are located at the "/ecrire" endpoint via the `lier trad` and `where` parameters. **Recommendations** For Spip Web Framework versions v3.1.13 and earlier, update to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to the "/ecrire" endpoint to minimize the risk of exploitation. Avoid using the `lier trad` and `where` parameters in the affected endpoint until the issue is resolved.