Paul Gerste

**PostgreSQL and Affected Versions** PostgreSQL versions prior to 18.3 PostgreSQL versions prior to 17.9 PostgreSQL versions prior to 16.13 PostgreSQL versions prior to 15.17 PostgreSQL versions prior to 14.22 PostgreSQL version 9.3 **Description** PostgreSQL is susceptible to a buffer overrun due to missing validation of multibyte character length during text manipulation. This allows a database user to craft queries that can overwrite memory, potentially leading to arbitrary code execution with the privileges of the operating system user running the database. The issue is triggered when processing maliciously crafted queries, specifically in the PL/pgsql function compilation when handling CREATE FUNCTION statements. An attacker with CREATE privilege can define a PL/Python user-defined function containing arbitrary Python code that executes with the privileges of the PostgreSQL server process. Approximately 3 million instances are estimated to be exposed globally. The vulnerability affects the `substring()` function, which may raise an error when processing non-ASCII text values sourced from database columns. **Recommendations** PostgreSQL versions prior to 18.3: Upgrade to version 18.3 or later. PostgreSQL versions prior to 17.9: Upgrade to version 17.9 or later. PostgreSQL versions prior to 16.13: Upgrade to version 16.13 or later. PostgreSQL versions prior to 15.17: Upgrade to version 15.17 or later. PostgreSQL versions prior to 14.22: Upgrade to version 14.22 or later. PostgreSQL version 9.3: Upgrade to a supported version of PostgreSQL.

**Name of the Vulnerable Software and Affected Versions** Eclipse Paho Go MQTT v3.1 library (paho.mqtt.golang) versions 1.5.0 and earlier **Description** The Eclipse Paho Go MQTT v3.1 library is susceptible to an issue where UTF-8 encoded strings exceeding 65535 bytes in length may be incorrectly encoded. This occurs because the data length is converted to an int16 without overflow checks, potentially leading to corrupt packets or data leakage—for example, a portion of an MQTT topic might be included in the message body of a PUBLISH packet. The issue arises from converting the data length from an int64 or int32 to an int16 without proper validation. **Recommendations** Versions prior to 1.5.0 should be updated.

**Name of the Vulnerable Software and Affected Versions** pg-promise versions prior to 11.5.5 **Description** The issue is related to SQL Injection due to improper handling of negative numbers. **Recommendations** For versions prior to 11.5.5, update to version 11.5.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Grafana versions prior to 12.0.1 **Description** Grafana is susceptible to a cross-site scripting (XSS) vulnerability stemming from a combination of a client path traversal and an open redirect. This allows attackers to redirect users to a malicious website hosting a frontend plugin capable of executing arbitrary JavaScript. The vulnerability does not require editor permissions and is exploitable even with anonymous access enabled. If the Grafana Image Renderer plugin is installed, a full read SSRF can be achieved. The default Content-Security-Policy (CSP) in Grafana may offer some mitigation, but is not fully effective. Over 46,000 instances of Grafana were reported as unpatched and vulnerable. The vulnerability allows for potential account takeover and remote code execution. **Recommendations** Update Grafana to version 12.0.1 or later.

**Name of the Vulnerable Software and Affected Versions** The product name cannot be determined. **Description** The built-in XY Chart plugin is affected by a DOM XSS issue. A user with Editor permissions can modify a panel to execute arbitrary JavaScript. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 134 Firefox ESR versions prior to 128.6 Thunderbird versions prior to 134 Thunderbird versions prior to 128.6 **Description** The issue arises when using Alt-Svc, as ALPN fails to properly validate certificates in scenarios where the original server redirects to an insecure site. **Recommendations** For Firefox versions prior to 134, update to version 134 or later. For Firefox ESR versions prior to 128.6, update to version 128.6 or later. For Thunderbird versions prior to 134, update to version 134 or later. For Thunderbird versions prior to 128.6, update to version 128.6 or later.

**Name of the Vulnerable Software and Affected Versions** Avenwu Whistle versions 2.9.90 and earlier **Description** The issue allows attackers to perform malicious API calls, resulting in the execution of arbitrary code on the victim's machine. This is due to a Cross-Site Request Forgery (CSRF) flaw. **Recommendations** For Avenwu Whistle versions 2.9.90 and earlier, update to a version that fixes the CSRF issue to prevent malicious API calls and arbitrary code execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** pip versions prior to v23.3 **Description** The issue is related to the injection of arbitrary configuration options to the "hg clone" call when installing a package from a Mercurial VCS URL using pip. This can modify how and which repository is installed. The vulnerability does not affect users who aren't installing from Mercurial. **Recommendations** For pip versions prior to v23.3, update to version v23.3 or later to resolve the issue. As a temporary workaround, consider avoiding the installation of packages from Mercurial VCS URLs until the issue is resolved. Restrict access to the `hg clone` call to minimize the risk of exploitation. Avoid using the `--config` option in the "hg clone" call until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** MySQL Connectors versions 8.1.0 and prior **Description** The issue is related to insufficient input validation in the Connector/J component of MySQL Connectors, allowing an unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products. The vulnerability can result in the takeover of MySQL Connectors. **Recommendations** For versions 8.1.0 and prior, update to a version that includes the fix for this issue to prevent exploitation. As a temporary workaround, consider restricting access to the Connector/J component to minimize the risk of exploitation. Avoid using the Connector/J component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Visual Studio Code (affected versions not specified) **Description** The issue is related to insufficient input validation in Visual Studio Code, allowing an attacker to execute arbitrary code using a specially crafted file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Visual Studio Code GitHub Pull Requests and Issues Extension (affected versions not specified) **Description** The issue is related to errors in processing input data in the Visual Studio Code GitHub Pull Requests and Issues Extension. Exploitation of this issue may allow a remote attacker to execute arbitrary code. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GitKraken GitLens versions prior to 14.0.0 **Description** The issue is related to insufficient input validation in the GitKraken GitLens plugin for Visual Studio Code, allowing an attacker to execute arbitrary code via a crafted file. This can be exploited by an attacker to gain unauthorized access and execute malicious code. **Recommendations** For versions prior to 14.0.0, update to version 14.0.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of the Visual Studio Code workspace trust component to minimize the risk of exploitation. Avoid using crafted files that could potentially exploit the insufficient input validation in the GitKraken GitLens plugin.

**Name of the Vulnerable Software and Affected Versions** Gogs versions 0.13.0 and earlier **Description** The issue is related to argument injection during the tagging of a new release. This could allow a remote attacker to disclose protected information. Unprivileged user accounts with at least one SSH key can read arbitrary files on the system, potentially leaking configuration files with database credentials, such as `[database]` and `[security] SECRET KEY`, as well as exfiltrating TLS certificates, other users' repositories, and the Gogs database when the SQLite driver is enabled. **Recommendations** For Gogs versions 0.13.0 and earlier, upgrade to version 0.13.1 or the latest 0.14.0+dev to resolve the issue. As a temporary measure, only grant access to trusted users to your Gogs instance on affected versions, as there is no viable workaround available.

**Name of the Vulnerable Software and Affected Versions** Onedev versions prior to 7.3.0 **Description** Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. All files in the `/opt/onedev/sites/` directory are exposed and can be read by unauthenticated users. This directory contains all projects, including their bare git repos and build artifacts. This issue can be used by unauthenticated attackers to leak all project files of any project. Since project IDs are incremental, an attacker could iterate through them and leak all project data. **Recommendations** For versions prior to 7.3.0, upgrade to version 7.3.0 to resolve the issue. As a temporary workaround, consider restricting access to the `/opt/onedev/sites/` directory until the upgrade is applied.

**Name of the Vulnerable Software and Affected Versions** Poetry versions prior to 1.1.9 Poetry versions prior to 1.2.0b1 **Description** Poetry is a dependency manager for Python that uses various commands, such as `git clone`, when handling dependencies from a Git repository. The commands are constructed using user input, and although Poetry avoids Command Injection vulnerabilities by passing an array of arguments, there is a possibility that user input starting with a dash (`-`) can be treated as an optional argument, leading to Code Execution. This can occur because some commands have options that can be leveraged to run arbitrary executables. If a developer is exploited, the attacker could steal credentials or persist their access. The exploit can still work even when the victim tries to ensure safety by vetting config files. **Recommendations** For versions prior to 1.1.9, upgrade to version 1.1.9 or later. For versions prior to 1.2.0b1, upgrade to version 1.2.0b1 or later. As a temporary workaround, consider restricting the use of the `git clone` command with untrusted repository URLs until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Poetry versions 1.1.9 and below **Description** The issue is related to an untrusted search path in Poetry, which causes the application to behave in unexpected ways when users execute Poetry commands in a directory containing malicious content. This occurs when the application is run on Windows OS. **Recommendations** For versions 1.1.9 and below, update to a version above 1.1.9 to resolve the issue. As a temporary workaround, consider avoiding the execution of Poetry commands in directories that may contain malicious content.

**Name of the Vulnerable Software and Affected Versions** superjson versions prior to 1.8.1 Blitz.js versions prior to 0.45.3 **Description** The issue allows input to run arbitrary code on any server using superjson input without prior authentication or knowledge. The only requirement is that the server implements at least one endpoint which uses superjson during request processing. This can lead to full control over the server, allowing attackers to steal and manipulate data or attack further systems. **Recommendations** For superjson versions prior to 1.8.1, update to superjson 1.8.1. For Blitz.js versions prior to 0.45.3, update to Blitz.js 0.45.3 or upgrade only superjson to version 1.8.1. As a temporary workaround, consider restricting the use of superjson in request processing until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Visual Studio Code (affected versions not specified) **Description** The issue is related to incorrect code generation management in the Visual Studio Code editor. Exploitation of this issue may allow an attacker to execute arbitrary code. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Composer versions prior to 1.10.23 Composer versions prior to 2.1.9 **Description** The issue affects Windows users running Composer to install untrusted dependencies, subjecting them to command injection. Other operating systems and Windows Subsystem for Linux (WSL) are not affected. **Recommendations** For versions prior to 1.10.23, upgrade to version 1.10.23 or later. For versions prior to 2.1.9, upgrade to version 2.1.9 or later. As a temporary workaround, consider avoiding the installation of untrusted dependencies until a patch is applied.

Name of the Vulnerable Software and Affected Versions: Ghost versions 4.0.0 through 4.3.2 Description: An unused endpoint added during the development of 4.0.0 has left sites vulnerable to untrusted users gaining access to Ghost Admin. Attackers can gain access by getting logged in users to click a link containing malicious code. Users do not need to enter credentials and may not know they've visited a malicious site. Ghost(Pro) has already been patched, and there is no evidence that the issue was exploited on Ghost(Pro) prior to the patch being added. Recommendations: For Ghost versions 4.0.0 through 4.3.2, upgrade to version 4.3.3 as soon as possible. As a temporary workaround, consider blocking access to the `/ghost/preview` endpoint to mitigate the issue. To block access in nginx, use the following configuration: ``` location ~ /ghost/preview { rewrite ^(/(.*/)?ghost/)(.*)$ $1 redirect; } ``` This redirects the endpoint to `/ghost/`, which mimics the behaviour after the patch is applied. Additionally, logging out of Ghost Admin, suspending any users who cannot log out, can also help mitigate the issue.