Odaysec

**Name of the Vulnerable Software and Affected Versions** pyLoad versions prior to 0.5.0b3.dev91 **Description** pyLoad is a free and open-source download manager written in Python. Versions prior to 0.5.0b3.dev91 have insufficient input validation in the web interface, specifically in the Captcha script endpoint and the Click'N'Load (CNL) Blueprint. This allows untrusted user input to be processed unsafely, potentially leading to client-side code execution (XSS) or manipulation of request handling. User-supplied parameters from HTTP requests were not adequately validated or sanitized before being passed into the application logic and response generation. The CNL (Click'N'Load) blueprint exposed unsafe handling of untrusted parameters in HTTP requests. **Recommendations** Update pyLoad to version 0.5.0b3.dev91 or later.

**Name of the Vulnerable Software and Affected Versions** Traefik versions 2.11.27 and below Traefik versions 3.0.0 through 3.4.4 Traefik version 3.5.0-rc1 **Description** Traefik is an HTTP reverse proxy and load balancer. A path traversal vulnerability exists in the WASM Traefik’s plugin installation mechanism. Supplying a maliciously crafted ZIP archive containing file paths with `../` sequences allows an attacker to overwrite arbitrary files on the system outside of the intended plugin directory. This can lead to remote code execution (RCE), privilege escalation, persistence, or denial of service. **Recommendations** Update to Traefik version 2.11.28 or later. Update to Traefik version 3.4.5 or later. Update to Traefik version 3.5.0 or later.

**Name of the Vulnerable Software and Affected Versions** LF Edge eKuiper versions prior to 2.2.1 **Description** A critical SQL Injection vulnerability exists in the `getLast` API functionality of the eKuiper project. This flaw allows unauthenticated remote attackers to execute arbitrary SQL statements on the underlying SQLite database by manipulating the table name input in an API request. Exploitation can lead to data theft, corruption, or deletion, and full database compromise. The root cause lies in the use of unsanitized user-controlled input when constructing SQL queries using `fmt.Sprintf`, without validating the `table` parameter. A crafted request to the `/sql-query` API endpoint with a malicious `table` parameter can be used to inject SQL commands. **Recommendations** LF Edge eKuiper versions prior to 2.2.1 should be updated to version 2.2.1.

**Name of the Vulnerable Software and Affected Versions** Thor versions prior to 1.4.0 **Description** Thor versions prior to 1.4.0 can construct an unsafe shell command from library input. **Recommendations** Update Thor to version 1.4.0 or later.

**Name of the Vulnerable Software and Affected Versions** pyload versions prior to 0.5.0b3.dev89 **Description** pyload is an open-source Download Manager written in pure Python. An unsafe JavaScript evaluation vulnerability in pyLoad’s CAPTCHA processing code allows unauthenticated remote attackers to execute arbitrary code in the client browser and potentially the backend server. Exploitation requires no user interaction or authentication and can result in session hijacking, credential theft, and full system remote code execution. **Recommendations** Update to version 0.5.0b3.dev89, which includes commit 909e5c97885237530d1264cfceb5555870eb9546 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions:** Headlamp versions prior to 0.31.1 **Description:** Headlamp is an extensible Kubernetes web UI. A command injection issue exists in the codeSign.js script used during the macOS packaging workflow. This is due to the improper use of the `execSync()` function with unsanitized input from environment variables. The variables `${teamID}`, `${entitlementsPath}`, and `${config.app}` are dynamically derived and passed to shell commands without proper escaping or argument separation, potentially allowing command injection if these values contain malicious input. **Recommendations:** Update to Headlamp version 0.31.1 or later.

Name of the Vulnerable Software and Affected Versions: DOMPurify versions 3.2.5 and earlier Description: The issue arises from the scripts/server.js file in DOMPurify, which fails to ensure that a pathname is located under the current working directory. This problem is present in versions up to 3.2.5 before the commit 6bc6d60. Recommendations: For DOMPurify versions 3.2.5 and earlier, consider restricting access to the scripts/server.js file until a patch is available. As a temporary workaround, ensure that all pathnames are manually verified to be under the current working directory to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Lila (for Lichess) version before ab0beaf **Description** The issue is related to an innerHTML usage pattern in powertip.ts, where text is extracted from a DOM node and interpreted as HTML, allowing Cross-Site Scripting (XSS) in some applications. **Recommendations** For versions before ab0beaf, update to a version after ab0beaf to resolve the issue. As a temporary workaround, consider restricting the use of the innerHTML pattern in powertip.ts to minimize the risk of exploitation.