Nightrang3R

**Name of the Vulnerable Software and Affected Versions** OpenTSDB versions prior to 2.4.1 **Description** A remote code execution issue occurs due to command injection in the `yrange` parameter. The `yrange` value is written to a gnuplot file in the /tmp directory, which is then executed via the mygnuplot.sh shell script. The attempted prevention of command injections by blocking backticks in tsd/GraphHandler.java is insufficient. This allows a remote attacker to execute arbitrary code. **Recommendations** For OpenTSDB versions prior to 2.4.1, update to version 2.4.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the `yrange` parameter in the affected API endpoint until a patch is available. Avoid using the `yrange` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** letodms version 3.3.6 **Description** The issue allows for CSRF via the change password function. **Recommendations** For letodms version 3.3.6, update to a version that includes a fix for this issue, if available. As a temporary workaround, consider restricting access to the change password function to minimize the risk of exploitation.