Patrickhener

**Name of the Vulnerable Software and Affected Versions** goshs versions prior to 2.0.2 **Description** The PUT upload handler in `httpserver/updown.go` lacks Cross-Site Request Forgery (CSRF) token validation. CSRF is a type of attack that tricks a victim into submitting a malicious request. This deficiency, combined with the unconditional `Access-Control-Allow-Origin: *` header on the OPTIONS preflight handler in `httpserver/server.go`, allows any website to write arbitrary files to a goshs instance via a victim's browser, effectively bypassing network isolation such as localhost or internal networks. **Recommendations** Update to version 2.0.2.

**Name of the Vulnerable Software and Affected Versions** Secudos DOMOS version 5.8 **Description** The issue allows remote attackers to execute arbitrary commands as root via shell metacharacters in the `zone` field, which can be obtained from the web interface. This is related to the `conf datetime` in Secudos DOMOS. **Recommendations** For Secudos DOMOS version 5.8, consider restricting access to the web interface to minimize the risk of exploitation, and avoid using shell metacharacters in the `zone` field until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.