Parrot409

**Name of the Vulnerable Software and Affected Versions** Caddy versions prior to 2.11.1 **Description** The path sanitization routine in Caddy's file matcher does not properly sanitize backslashes, potentially allowing bypass of path-related security protections. This issue affects users with specific Caddy and environment configurations. The vulnerability can be exploited by crafting requests with backslashes in the path, which can bypass reverse proxy protections or other path-based security measures. The `try files` directive is involved in this issue, and configurations combining blacklisting and serving may be vulnerable if the `try files` directive and filtering `route`/`handle` directives are in the same block. A proof-of-concept demonstrates bypassing an Nginx protection by using a URL-encoded backslash in the path. **Recommendations** Update Caddy to version 2.11.1 or later.

**Name of the Vulnerable Software and Affected Versions** undici versions 4.5.0 through 5.28.4 undici versions 4.5.0 through 6.21.0 undici versions 4.5.0 through 7.2.2 **Description** The issue arises from undici using `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. **Recommendations** For undici versions 4.5.0 through 5.28.4, update to version 5.28.5 or later. For undici versions 4.5.0 through 6.21.0, update to version 6.21.1 or later. For undici versions 4.5.0 through 7.2.2, update to version 7.2.3 or later. As a temporary workaround, do not issue multipart requests to attacker-controlled servers.

**Name of the Vulnerable Software and Affected Versions** Yelp versions prior to 42.2 Yelp versions prior to 3.38.3-1+deb11u1 Yelp versions prior to 3.36.2-0ubuntu1.1 Yelp-xsl versions prior to 42.1-2+deb12u1 Yelp-xsl versions prior to 3.36.0-1ubuntu0.1 **Description** A flaw in the Gnome user help application allows help documents to execute arbitrary scripts. This issue stems from the incorrect handling of paths in `ghelp` URLs and the inclusion of functions from an untrusted controlled area when processing documents using the `ghelp` scheme. A remote attacker can exploit this by tricking a user into opening a specially crafted help file, which may lead to arbitrary code execution and the exfiltration of sensitive user files, such as SSH keys, to an external environment. **Recommendations** Update to version 42.2 or later. Update to version 3.38.3-1+deb11u1. Update to version 3.36.2-0ubuntu1.1. Update yelp-xsl to version 42.1-2+deb12u1. Update yelp-xsl to version 3.36.0-1ubuntu0.1.

**Name of the Vulnerable Software and Affected Versions** Deno versions prior to 1.42.2 **Description** The issue is caused by errors in synchronization when using a shared resource in the Deno runtime environment for JavaScript and TypeScript. Exploitation of this issue may allow an attacker to disclose protected information. By using ANSI escape sequences and a race between `libc::tcflush(0, libc::TCIFLUSH)` and reading standard input, it's possible to manipulate the permission prompt and force it to allow an unsafe action regardless of the user input. Some ANSI escape sequences act as a info request to the master terminal emulator and the terminal emulator sends back the reply in the PTY channel. standard streams also use this channel to send and get data. For example the `033[6n` sequence requests the current cursor position. These sequences allow appending data to the standard input of Deno. This allows an attacker to bypass Deno permission policy. **Recommendations** For Deno versions prior to 1.42.2, update to version 1.42.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of ANSI escape sequences in the terminal emulator to minimize the risk of exploitation. Avoid using the `libc::tcflush(0, libc::TCIFLUSH)` function in conjunction with reading standard input until the issue is resolved.