Rezmoss

**Name of the Vulnerable Software and Affected Versions** SiYuan versions prior to 3.6.0 **Description** The /api/query/sql endpoint allows users to execute SQL queries directly on the database. However, it only verifies basic authentication and does not check for administrative privileges. This allows any logged-in user, including those with read-only access, to run arbitrary SQL queries. The vulnerable code resides in `kernel/api/sql.go` within the `SQL` function, which executes the provided SQL statement without proper restrictions. The route is protected only by `CheckAuth` middleware in `kernel/api/router.go`. An attacker can leverage this to potentially extract sensitive data, including notes belonging to other users, or cause performance issues through malicious SQL queries. The `stmt` parameter within the JSON payload is the vulnerable input. **Recommendations** Versions prior to 3.6.0 should be updated to version 3.6.0 or later.

**Name of the Vulnerable Software and Affected Versions** Gogs versions prior to 0.14.2 **Description** A security issue exists in Gogs, an open source self-hosted Git service, where deleting a release can fail if a user-controlled tag name is passed to Git without the proper separator. This allows for Git option injection, which can interfere with the process, lead to operational denial of service in release cleanup workflows, and cause release metadata inconsistency. The issue occurs because the `rel.TagName` variable is used as a CLI argument in the `git tag -d` command within the `process.ExecDir()` function without using `--` or `--end-of-options`. If a tag name begins with a dash, Git parses it as a flag. This can be exploited if an attacker adds a tag name starting with a dash to the repository and a user with appropriate permissions triggers the deletion via the web UI or API. **Recommendations** Update to version 0.14.2. As a temporary mitigation, avoid deleting releases that have tag names starting with a dash until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Gogs versions prior to 0.14.2 **Description** Gogs, a self-hosted Git service, contains a stored cross-site scripting (XSS) issue due to unsafe template rendering. The issue arises from mixing user input with permissive sanitizer handling of data URLs and the use of the `safe()` function, which disables escaping. Specifically, committer names on branch pages and arguments within locale files are vulnerable to injection. An attacker who can inject commit metadata, such as author or committer name, can trigger script execution on affected pages, potentially leading to session abuse, Cross-Site Request Forgery (CSRF) token theft, or unauthorized actions. The `safe()` function in internal/template/template.go allows bypassing escaping mechanisms. The vulnerability is present in templates/repo/branches/overview.tmpl, templates/repo/branches/all.tmpl, and templates/repo/wiki/view.tmpl. The locale file conf/locale/locale en-US.ini also contributes to the issue by injecting raw arguments. **Recommendations** Update to version 0.14.2 or later.

**Name of the Vulnerable Software and Affected Versions** Gogs versions prior to 0.14.2 **Description** The Gogs API accepts tokens in URL parameters, specifically `token` and `access token`. This can lead to information disclosure as these tokens may be logged, stored in browser history, or sent in referrer headers. The API checks for tokens in URL query parameters before checking the `Authorization` header. Token-authenticated requests are accepted by API routes. This allows for potential reuse of tokens until they are revoked. **Recommendations** Versions prior to 0.14.2 should be updated to version 0.14.2. Authentication headers should be used exclusively for token transmission. Token parameters should be blocked at the proxy or WAF level. Query strings should be scrubbed from logs. A strict referrer policy should be set.

**Name of the Vulnerable Software and Affected Versions** axios4go versions prior to 0.6.4 **Description** axios4go is a Go HTTP client library affected by a race condition in its shared HTTP client configuration. The global `defaultClient` is modified during request execution without proper synchronization, altering the shared `http.Client`'s `Transport`, `Timeout`, and `CheckRedirect` properties. Applications using axios4go with concurrent requests (multiple goroutines, `GetAsync`, `PostAsync`, etc.), different proxy configurations, or handling sensitive data like authentication credentials and API keys are potentially impacted. The vulnerability allows for potential proxy configuration leaks. **Recommendations** Versions prior to 0.6.4 should be updated to version 0.6.4 or later.