Nvn1729

Name of the Vulnerable Software and Affected Versions AIOHTTP versions prior to 3.13.4 Description Prior to version 3.13.4, on Windows, the static resource handler in AIOHTTP may expose information about a NTLMv2 remote path. This could potentially allow an attacker to extract the hash from an NTLMv2 path and then extract user credentials. Recommendations Update AIOHTTP to version 3.13.4 or later.

**Name of the Vulnerable Software and Affected Versions** Gradio versions prior to 6.7 **Description** Gradio is a Python package for prototyping applications. Applications running on Windows with Python 3.13 and later are susceptible to an absolute path traversal issue. A change in Python 3.13+ altered how `os.path.isabs` handles root-relative paths, leading to a flaw in Gradio’s path joining logic. This allows unauthenticated attackers to read arbitrary files from the Gradio server, even with authentication enabled. The issue affects the way paths are handled, potentially allowing access to sensitive files. **Recommendations** Update to version 6.7 or later.

Name of the Vulnerable Software and Affected Versions: Werkzeug versions prior to 3.0.6 Description: The issue arises from the `os.path.isabs()` function not correctly handling UNC paths like `//server/share` on Python versions less than 3.11 on Windows. This affects Werkzeug's `safe join()` function, which relies on this check, potentially leading to unintended access to data. Applications using Python 3.11 or later, or those not running on Windows, are not affected. Recommendations: For Werkzeug versions prior to 3.0.6, update to version 3.0.6 to resolve the issue. As a temporary workaround, consider avoiding the use of UNC paths like `//server/share` in applications using affected versions of Werkzeug until the patch is applied.

**Name of the Vulnerable Software and Affected Versions** Streamlit versions prior to 1.37.0 **Description** The issue is related to a path traversal vulnerability in the static file sharing feature of Streamlit. This vulnerability allows an attacker to leak the password hash of the Windows user running Streamlit when the static file sharing feature is enabled. The vulnerability only affects Windows. **Recommendations** For versions prior to 1.37.0, upgrade to version 1.37.0 to resolve the issue. As a temporary workaround, consider disabling the static file sharing feature until the patch is applied. Restrict access to the static file sharing feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jupyter Server versions prior to 2.14.1 **Description** The Jupyter Server on Windows has a vulnerability that lets unauthenticated attackers leak the NTLMv2 password hash of the Windows user running the Jupyter server. An attacker can crack this password to gain access to the Windows machine hosting the Jupyter server, or access other network-accessible machines or 3rd party services using that credential. Alternatively, an attacker can perform an NTLM relay attack without cracking the credential to gain access to other network-accessible machines. **Recommendations** For versions prior to 2.14.1, update to version 2.14.1 to resolve the issue. As a temporary workaround, consider restricting access to the Jupyter server to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Traccar versions 5.1 through 5.12 **Description** The issue allows arbitrary files to be uploaded through the device image upload API, giving attackers full control over the file contents, directory, and extension, and partial control over the file name. This can potentially lead to remote code execution, XSS, and DOS. The default installation of Traccar, with self-registration enabled and running with root/system privileges, makes this issue more severe. **Recommendations** For Traccar versions 5.1 through 5.12, update to version 6.0 to resolve the issue. As a temporary workaround, consider turning off self-registration to reduce the severity of the vulnerability. Restrict access to the device image upload API to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Gradio versions prior to 4.11.0 **Description** The issue concerns a vulnerability in the `/file` route of Gradio, making it susceptible to file traversal attacks. An attacker could access arbitrary files on a machine running a Gradio app with a public URL if they knew the path of files to look for. This was possible through programmatic tools such as `curl` with the `--pass-as-is` flag, but not through regular URLs passed into a browser. Additionally, the `/file` route was vulnerable to Server-Side Request Forgery (SSRF) attacks. **Recommendations** For Gradio versions prior to 4.11.0, update to version 4.11.0 to resolve the issue. As a temporary workaround, consider restricting access to the `/file` route to minimize the risk of exploitation. Avoid using the `/file` route in Gradio apps until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: OrangeHRM versions through 4.6 Description: The issue allows remote authenticated attackers to execute arbitrary SQL commands via the `loadMorePostsForm[profileUserId]` parameter to the "buzz/loadMoreProfile" endpoint. This is due to a SQL injection in the Buzz module of OrangeHRM. Recommendations: For versions through 4.6, consider disabling the `loadMorePostsForm[profileUserId]` parameter in the "buzz/loadMoreProfile" endpoint as a temporary workaround until a patch is available. Restrict access to the Buzz module to minimize the risk of exploitation. Avoid using the `loadMorePostsForm[profileUserId]` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** petl versions prior to 1.68 **Description** The issue allows resolution of entities in an XML document, potentially leading to information disclosure. An attacker who can submit XML input to an application using petl can disclose arbitrary files on the file system in the context of the user under which the application is running. This can occur in applications that accept attacker-supplied XML input processed using petl, return the response generated by petl back to the attacker, configure lxml as the underlying XML processing library used by petl, and have read privileges in filesystem files with sensitive information. **Recommendations** Update to petl version 1.68 or later. As a temporary workaround, assure there is no user or external access to the application using petl. Assure your application is not using the function fromxml().