Leeya_Bug

**Name of the Vulnerable Software and Affected Versions** QNAP QTS versions prior to 5.1.9.2954 build 20241120 QNAP QuTS hero h5.1.9 versions prior to 5.1.9.2954 build 20241120 **Description** An out-of-bounds write issue has been reported, potentially allowing remote attackers with administrator access to modify or corrupt memory. **Recommendations** For QNAP QTS versions prior to 5.1.9.2954 build 20241120, update to QTS 5.1.9.2954 build 20241120 or later. For QNAP QuTS hero h5.1.9 versions prior to 5.1.9.2954 build 20241120, update to QuTS hero h5.1.9.2954 build 20241120 or later.

**Name of the Vulnerable Software and Affected Versions** PaddlePaddle versions prior to 2.6.0 **Description** The issue is related to a command injection in the `get online pass interval` function, allowing the execution of arbitrary commands on the operating system. **Recommendations** For versions prior to 2.6.0, update to version 2.6.0 or later to resolve the issue. As a temporary workaround, consider disabling the `get online pass interval` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** PaddlePaddle versions prior to 2.6.0 **Description** The issue is a command injection in the `convert shape compare` function, allowing the execution of arbitrary commands on the operating system. **Recommendations** For versions prior to 2.6.0, update to version 2.6.0 or later to resolve the issue. As a temporary workaround, consider disabling the `convert shape compare` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** abupy versions up to v0.4.0 **Description** The issue is a SQL injection vulnerability via the component `abupy.MarketBu.ABuSymbol.search to symbol dict`. This vulnerability allows for potential exploitation. **Recommendations** For versions up to v0.4.0, update to a version later than v0.4.0 to resolve the issue. As a temporary workaround, consider restricting access to the `search to symbol dict` component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Dango-Translator version 4.5.5 **Description** A remote command execution (RCE) issue was found in Dango-Translator via the `app/config/cloud config.json` component. **Recommendations** For Dango-Translator version 4.5.5, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** fast-poster version 2.15.0 **Description** The issue concerns a Cross Site Scripting (XSS) problem. Specifically, it involves the upload of files, where the check for image files is performed based on binary data but does not strictly verify the file suffix. This weakness is exploited at the "/server/fast.py" endpoint, particularly through the `ApiUploadHandler.post` function, leading to stored XSS. The estimated number of potentially affected devices worldwide is not provided. **Recommendations** For fast-poster version 2.15.0, as a temporary workaround, consider disabling the file upload functionality at the `/server/fast.py` endpoint, specifically through the `ApiUploadHandler.post` function, until a patch is available. Restrict access to the `ApiUploadHandler.post` function to minimize the risk of exploitation. Avoid using the file upload feature until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WebsiteGuide version 0.2 **Description** The issue allows for Remote Command Execution (RCE) via image upload. **Recommendations** For version 0.2, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** funadmin versions 3.3.2 through 3.3.3 **Description** The issue concerns insecure file upload via the plugins install. **Recommendations** For versions 3.3.2 and 3.3.3, consider disabling the plugins install feature until a patch is available. Restrict access to the plugins install module to minimize the risk of exploitation.