Martinzhou2015

**Name of the Vulnerable Software and Affected Versions** node-red-contrib-huemagic version 3.0.0 **Description** The issue allows remote attackers to gain sensitive information via a crafted request in the `res.sendFile` API in `hue-magic.js`. This is a Directory Traversal vulnerability, which can be exploited by sending a specifically designed request to the affected system. **Recommendations** For node-red-contrib-huemagic version 3.0.0, consider disabling the `res.sendFile` function in `hue-magic.js` until a patch is available to prevent potential exploitation. Restrict access to sensitive information and files to minimize the risk of unauthorized access.

**Name of the Vulnerable Software and Affected Versions** MrSwitch hello.js versions 1.18.6 through 1.18.7 **Description** A prototype pollution issue allows remote attackers to execute arbitrary code via the `hello.utils.extend` function. This enables attackers to manipulate the prototype chain, potentially leading to code execution. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited. **Recommendations** For MrSwitch hello.js versions 1.18.6 through 1.18.7, update to version 1.18.8 or later to resolve the issue. As a temporary workaround, consider disabling the `hello.utils.extend` function until a patch is available. Restrict access to the `hello.utils.extend` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Open5GS version 2.1.3 **Description** The issue concerns a default password for the admin account, which is set to `1423`. The software listens on `0.0.0.0:3000`. **Recommendations** For Open5GS version 2.1.3, change the default admin password to a strong, unique password to prevent unauthorized access. Consider restricting access to the admin account until the password is changed.

**Name of the Vulnerable Software and Affected Versions** node-red-contrib-huemagic version 3.0.0 **Description** The issue allows for Directory Traversal, enabling access to arbitrary files. This is achieved through the `res.sendFile` API in the file hue-magic.js, using the `hue/assets/..%2F` path. **Recommendations** For node-red-contrib-huemagic version 3.0.0, consider disabling the `res.sendFile` API in the hue-magic.js file until a patch is available. Restrict access to the hue-magic.js file to minimize the risk of exploitation. Avoid using the `hue/assets/..%2F` path in the affected API endpoint until the issue is resolved.