Moriel Harush

Name of the Vulnerable Software and Affected Versions Replicator versions 1.0.5 Description A remote code execution (RCE) issue exists in applications utilizing the Replicator node package manager. The vulnerability stems from the deserialization of untrusted user input, leading to the execution of the resulting object. This allows for unauthenticated access and potential compromise of systems. Recommendations Update Replicator to a version that addresses this issue.

**Name of the Vulnerable Software and Affected Versions** LiquidJS versions prior to 10.25.0 **Description** The `layout`, `render`, and `include` tags are susceptible to arbitrary file access through absolute paths. This can occur when paths are provided as string literals or through Liquid variables, particularly when `dynamicPartials: true` is enabled. This allows malicious users who can control template content or specify filepaths within Liquid variables to potentially access sensitive files. The issue involves the use of the `fs` module and its default implementation, which can be bypassed to access files outside of the intended directory structure. The `fs.fallback` function is a key component in this issue. **Recommendations** Update to LiquidJS version 10.25.0 or later. As a temporary workaround, modify the `dist/liquid.node.js` file to include additional checks within the `fs.fallback` function to ensure that filepaths are contained within allowed directories. Override the default `fs` implementation with a custom implementation that restricts file access to authorized locations.

**Name of the Vulnerable Software and Affected Versions** The product name cannot be determined. (affected versions not specified) **Description** The issue involves the exposure of sensitive information to an unauthorized actor. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The product name cannot be determined. (affected versions not specified) **Description** This issue involves an authorization bypass through a user-controlled key. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** (affected versions not specified) **Description** The issue involves an unverified password change, potentially allowing unauthorized modification of user credentials. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** (affected versions not specified) **Description** The vulnerability involves an observable response discrepancy. This issue relates to a mismatch in the expected and actual responses from a system or application. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: (affected versions not specified) **Description** The software suffers from improper access control. This allows unauthorized access to resources. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: The product name cannot be determined. (affected versions not specified) **Description** This issue involves an authorization bypass through a user-controlled key. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Media CP Media Control Panel latest version **Description** The issue concerns a reflected XSS that can be executed through an unspecified endpoint. There is no information provided about the estimated number of potentially affected devices worldwide or details about real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Media CP Media Control Panel latest version **Description** The issue allows for CSRF, which is possible through an unspecified endpoint. **Recommendations** For the latest version of Media CP Media Control Panel, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Media CP Media Control Panel (affected versions not specified) **Description** The issue is related to insufficient protection of credential changes. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Media CP Media Control Panel latest version **Description** A Permissive Flash Cross-domain Policy in the Media CP Media Control Panel may allow information disclosure. **Recommendations** For the Media CP Media Control Panel latest version, consider restricting access to the flash cross-domain policy until a more restrictive policy can be implemented.