Pyuysig

Incorrect access control in the "Let's Encrypt" certificate download endpoint of Nginx Proxy Manager v2.14.0 allows authenticated attackers to obtain the TLS private key material via a crafted GET request.

A Server-Side Request Forgery (SSRF) in the automatic short URL title resolution component of shlink v5.0.1 allows attackers to scan internal resources via supplying a crafted longUrl.

An authenticated Server-Side Request Forgery (SSRF) in the custom scraper subsystem component of Benjamin Jonard Koillection v1.8.0 allows attackers to scan internal resources via supplying a crafted URL.

An input handling flaw in the HTTP refresh token process of LLDAP v0.6.2 allows attackers to cause a Denial of Service (DoS) via sending a crafted refresh-token header.

Bernd Bestel grocy v4.6.0 was discovered to contain a SQL injection vulnerability in the product-group parameter at /stockreports/spendings. This vulnerability allows attackers to access sensitive database information via a crafted SQL statement.

Incorrect access control in the /admin/api/config component of Filestash v0.4.0 allows attackers to escalate privileges via sending a crafted request.

**Name of the Vulnerable Software and Affected Versions** Vector versions prior to 0.55.0 **Description** The ClickHouse sink contains a SQL/identifier injection flaw. The software escaped the `table` identifier but interpolated the `database` value raw into the INSERT statement, allowing a crafted database value to break out of identifier quoting. This occurs in the `KeyPartitioner::partition()` function via the `set uri query` parameter, which could allow attackers to access sensitive database information using crafted SQL statements. **Recommendations** Update to version 0.55.0.

An issue in the /util/http/prelude.rs endpoint of Datadog, Inc Vector v0.54.0 allows attackers to cause a Denial of Service (DoS) via a crafted request or payload.

An issue in the api/plugin.php component of Bludit v3.19.0 allows attackers to execute a directory traversal via supplying a crafted request.

An information disclosure vulnerability in the configuration endpoint of Ben Busby whoogle-search v1.2.3 allows attackers to obtain sensitive information via a crafted GET request.

An OS command injection vulnerability in the media archiving and export pipeline component of kanishka-linux Reminiscence v0.3.0 allows attackers to execute arbitrary commands via supplying a crafted input.

An issue in the loopback request handling component of fossar selfoss v2.20-SNAPSHOT allows attackers to execute arbitrary commands and obtain sensitive information via supplying a crafted HTTP request.

An arbitrary file upload vulnerability in the attachment handling component of flatnotes v5.5.4 allows attackers to execute arbitrary code via uploading a crafted HTML or SVG file.

An OS command injection vulnerability in the /manage/features/media component of kanishka-linux Reminiscence v0.3.0 allows attackers to execute arbitrary commands via supplying a crafted input.

Incorrect access control in the /{form}/webhooks/{webhook} endpoint of Deck9 Input v2.0.1 allows authenticated attackers to arbitrarily modify or delete another tenant's webhook via a crafted request.

A cross-site scripting (XSS) vulnerability in Deck9 Input v2.0.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

An issue in Zhoros SuperBin v1.0.0 allows attackers to execute a directory traversal via supplying files with names containing traversal characters.

An issue in the attachment handling component of Feuerhamster MailForm v1.1.0 allows attackers to cause a Denial of Service (DoS) via a crafted request.

An issue in the uploadPostHandler component of Andrei Marcu linx-server v2.3.8 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

An issue in the sendmail transport integration component of YouTransfer v1.0.6 allows attackers to execute arbitrary code via supplying a crafted request.