M10X

**Name of the Vulnerable Software and Affected Versions** Zed versions prior to 0.219.4 **Description** Zed, a multiplayer code editor, does not display the parameters used when invoking a tool, both during the allowance request and after invocation. This lack of visibility could allow the use of unwanted or malicious values without the user’s knowledge. The issue concerns tool call details and the potential for tool poisoning. **Recommendations** Update to version 0.219.4 or later to benefit from expandable tool call details.

**Name of the Vulnerable Software and Affected Versions** Tandoor Recipes versions 2.0.0-alpha-1 **Description** Tandoor Recipes 2.0.0-alpha-1 is susceptible to privilege escalation. This issue stems from a rework of the API, specifically within the User Profile `API Endpoint`. The endpoint contains two boolean values that incorrectly indicate a user's staff or administrative status. This allows any user to elevate their privileges to the highest level. **Recommendations** Update to Tandoor Recipes version 2.0.0-alpha-2 or later.

Name of the Vulnerable Software and Affected Versions: Tandoor Recipes versions prior to 1.5.24 Description: The issue is related to a Jinja2 SSTI vulnerability that allows any user to execute commands on the server, potentially with root privileges in the case of the provided Docker Compose file. This vulnerability has been fixed in version 1.5.24. Recommendations: Tandoor Recipes versions prior to 1.5.24: Update to version 1.5.24 to fix the Jinja2 SSTI vulnerability.

**Name of the Vulnerable Software and Affected Versions** Tandoor Recipes versions prior to 1.5.28 **Description** Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. The external storage feature allows any user to enumerate the name and content of files on the server. **Recommendations** Tandoor Recipes versions prior to 1.5.28 should be updated to version 1.5.28 to fix the issue.

**Name of the Vulnerable Software and Affected Versions** Tandoor Recipes versions prior to 1.5.28 **Description** The issue concerns the file upload feature in Tandoor Recipes, which allows uploading arbitrary files, including html and svg. These files can contain malicious content, such as XSS payloads. **Recommendations** For versions prior to 1.5.28, update to version 1.5.28 to resolve the issue. As a temporary workaround, consider restricting the file upload feature to minimize the risk of exploitation. Avoid using the file upload feature for html and svg files until the issue is resolved.