Ry0Tak

**Name of the Vulnerable Software and Affected Versions** Caido versions prior to 0.48.0 **Description** Caido is a web security auditing toolkit that lacks protection for DNS rebinding, allowing it to be loaded on an attacker-controlled domain. This enables a malicious website to hijack the authentication flow of Caido and achieve code execution. A malicious website loaded in the browser can hijack the locally running Caido instance and achieve remote command execution during the initial setup. Even if the Caido instance is already configured, an attacker can initiate the authentication flow by performing DNS rebinding, requiring the victim to authorize the request on dashboard.caido.io. **Recommendations** Upgrade to version 0.48.0 to receive a patch.

**Name of the Vulnerable Software and Affected Versions** Argo CD versions prior to v2.13.8 Argo CD versions prior to v2.14.13 Argo CD versions prior to v3.0.4 **Description** This issue allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources. The vulnerability is caused by the improper filtering of URL protocols in the repository page, allowing an attacker to achieve cross-site scripting with permission to edit the repository. The `ui/src/app/shared/components/urls.ts` file contains code that parses the repository URL without validating the protocol, making it possible to inject `javascript:` URLs. This can lead to cross-site scripting as the return value of this function is used in the `href` attribute of the `a` tag. **Recommendations** Update to Argo CD version v2.13.8 or later to fix the vulnerability. Update to Argo CD version v2.14.13 or later to fix the vulnerability. Update to Argo CD version v3.0.4 or later to fix the vulnerability. As a temporary workaround, consider relying on the browser to filter the URL until a patch is applied.

Name of the Vulnerable Software and Affected Versions: HedgeDoc versions prior to 1.10.3 Description: The issue arises when a malicious SVG file is uploaded to HedgeDoc, potentially leading to cross-site scripting (XSS) when the file is opened in a new tab. This is possible due to the exploitation of JSONP capabilities in GitHub Gist embeddings. Only instances with specific configurations, such as the local filesystem upload backend or where uploads are served from the same domain as HedgeDoc, are affected. Recommendations: For versions prior to 1.10.3, upgrade to HedgeDoc 1.10.3 to resolve the issue. As a temporary workaround for instances that cannot be upgraded to 1.10.3, add the following headers for all routes under /uploads: Content-Disposition: attachment and Content-Security-Policy: default-src 'none'. Additionally, remove external URLs in the script-src attribute of the Content-Security-Policy header.

**Name of the Vulnerable Software and Affected Versions** Next.js versions prior to 12.3.6 Next.js versions prior to 13.5.10 Next.js versions prior to 14.2.26 Next.js versions prior to 15.2.4 **Description** The issue concerns the leakage of the `x-middleware-subrequest-id` across multiple incoming requests in Next.js, a React framework for building full-stack web applications. This subrequest ID is sent to all requests, including those to third-party destinations, potentially leaking sensitive information. **Recommendations** For versions prior to 12.3.6, update to version 12.3.6 or later. For versions prior to 13.5.10, update to version 13.5.10 or later. For versions prior to 14.2.26, update to version 14.2.26 or later. For versions prior to 15.2.4, update to version 15.2.4 or later.

**Name of the Vulnerable Software and Affected Versions** Vim versions 9.1.0858 through 9.1.1163 **Description** Vim is an open source, command line text editor that is distributed with the tar.vim plugin. This plugin allows easy editing and viewing of compressed or uncompressed tar files. However, starting with version 9.1.0858, the tar.vim plugin uses the ":read" ex command line to append below the cursor position without sanitizing the input, which can be taken literally from the tar archive. This allows for the execution of shell commands via specially crafted tar archives, depending on the shell being used. The issue has been fixed as of Vim patch v9.1.1164. **Recommendations** Update to version 9.1.1164 to stay secure. Avoid opening untrusted TAR files. Monitor for unusual events. As a temporary workaround, consider disabling the tar.vim plugin until a patch is available.

Name of the Vulnerable Software and Affected Versions: Vim versions prior to 9.1.1198 Description: The issue concerns potential data loss when using Vim with the zip.vim plugin and specially crafted zip files. The impact is considered medium as it requires a user to view the malicious archive with Vim and then interact with it by pressing 'x' on a strange filename. Recommendations: For versions prior to 9.1.1198, update to Vim patch v9.1.1198 to resolve the issue. As a temporary workaround, consider avoiding the use of zip.vim with untrusted zip files until the update is applied.

**Name of the Vulnerable Software and Affected Versions** LocalSend versions prior to 1.17.0 **Description** The issue arises from the missing sanitization of the path in the "POST /api/localsend/v2/prepare-upload" and "POST /api/localsend/v2/upload" endpoints, allowing a malicious file transfer request to write files to arbitrary locations on the system. This can result in remote command execution, typically via the startup folder on Windows or Bash-related files on Linux. If the `Quick Save` feature is enabled, files can be written silently without explicit user interaction. **Recommendations** For versions prior to 1.17.0, update to version 1.17.0 to resolve the issue. As a temporary workaround, consider disabling the `Quick Save` feature to prevent silent file writing. Restrict access to the "POST /api/localsend/v2/prepare-upload" and "POST /api/localsend/v2/upload" endpoints to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Git LFS versions prior to 3.6.1 **Description** Git LFS is a Git extension for versioning large files. When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the `git-credential(1)` command without checking for embedded line-ending control characters, such as line feed (LF) or carriage return (CR), and then sends any credentials it receives back from the Git credential helper to the remote host. By inserting URL-encoded control characters into the URL, an attacker may be able to retrieve a user's Git credentials. **Recommendations** Git LFS versions prior to 3.6.1 should be updated to version 3.6.1 to resolve the issue.

Name of the Vulnerable Software and Affected Versions: OpenWrt versions prior to 920c8a1 Description: The issue is related to the Attended SysUpgrade feature of OpenWrt, which allows for the injection of malicious firmware. This is due to a combination of command injection in the ImageBuilder service and the use of truncated SHA-256 hashes, making it feasible for an attacker to generate collisions and serve compromised images to users. The vulnerability could be exploited to distribute malicious firmware packages, potentially affecting over 1.7 million services. Recommendations: Update to ASU version 920c8a1 to protect against the vulnerability. Verify the integrity of builds and only use official images from the OpenWrt website for safety. As a temporary workaround, consider restricting access to the vulnerable `openwrt/asu` server until a patch is applied.

Name of the Vulnerable Software and Affected Versions: go-gh versions prior to 2.11.1 Description: A security issue has been identified in go-gh that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace. go-gh sources authentication tokens from different environment variables depending on the host involved: `GITHUB TOKEN`, `GH TOKEN` for GitHub.com and ghe.com, and `GITHUB ENTERPRISE TOKEN`, `GH ENTERPRISE TOKEN` for GitHub Enterprise Server. Prior to version 2.11.1, `auth.TokenForHost` could source a token from the `GITHUB TOKEN` environment variable for a host other than GitHub.com or ghe.com when within a codespace. Successful exploitation could send authentication tokens to an unintended host. Recommendations: Upgrade go-gh to version 2.11.1. Regenerate authentication tokens, including personal access tokens and GitHub CLI OAuth app tokens. Review personal security logs and any relevant audit logs for actions associated with the account or enterprise.

Name of the Vulnerable Software and Affected Versions: GitHub CLI versions prior to 2.63.0 Description: A security issue has been identified in the GitHub CLI that could leak authentication tokens when cloning repositories containing `git` submodules hosted outside of GitHub.com and ghe.com. This issue stems from several `gh` commands, including `gh repo clone`, `gh repo fork`, and `gh pr checkout`, which invoke `git` with instructions to retrieve authentication tokens using the `credential.helper` configuration variable for any host encountered. Prior to version 2.63.0, hosts other than GitHub.com and ghe.com are treated as GitHub Enterprise Server hosts, and tokens are sourced from environment variables `GITHUB ENTERPRISE TOKEN`, `GH ENTERPRISE TOKEN`, and `GITHUB TOKEN` when the `CODESPACES` environment variable is set. The result is `git` sending authentication tokens when cloning submodules. Successful exploitation could lead to a third-party using leaked authentication tokens to access privileged resources. Recommendations: Upgrade to version 2.63.0 or later. Revoke authentication tokens used with the GitHub CLI, including personal access tokens and GitHub CLI OAuth app authorizations. Review your personal security log and any relevant audit logs for actions associated with your account or enterprise.

Name of the Vulnerable Software and Affected Versions: GitHub CLI versions 2.6.1 and earlier Description: The issue is related to remote code execution through a malicious codespace SSH server when using `gh codespace ssh` or `gh codespace logs` commands. This occurs when a malicious third-party devcontainer contains a modified SSH server that injects `ssh` arguments within the SSH connection details, allowing arbitrary code execution on the user's workstation if the remote username contains something like `-oProxyCommand="echo hacked" #`. The `-oProxyCommand` flag causes `ssh` to execute the provided command while `#` shell comment causes any other `ssh` arguments to be ignored. In version 2.62.0, the remote username information is being validated before being used. Recommendations: Upgrade to version 2.62.0 to fix the issue. As a temporary workaround, consider validating the remote username information before using it in `ssh` commands. Exercise caution when using custom devcontainer images, prefer default or pre-built devcontainers from trusted sources.

**Name of the Vulnerable Software and Affected Versions** VRCX versions prior to 2024.03.23 **Description** The issue affects VRCX, an assistant/companion application for VRChat. It involves a CefSharp browser with over-permission and cross-site scripting via overlay notification, which can be combined to result in remote command execution. **Recommendations** For versions prior to 2024.03.23, update the installation to VRCX 2023.12.24 or later to continue using VRCX, as older versions have been blocked on the VRC's API side.

**Name of the Vulnerable Software and Affected Versions** Nuxt (affected versions not specified) **Description** The issue arises from insufficient validation of the `path` parameter in the NuxtTestComponentWrapper, allowing an attacker to execute arbitrary JavaScript on the server side. This enables the execution of arbitrary commands. Users are affected when they open a malicious web page in the browser while running the test locally, resulting in remote code execution from the malicious web page. A malicious web page can repeatedly attempt to exploit this vulnerability, triggering the exploit when the test server starts. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Discourse versions prior to 3.2.3 on the stable branch Discourse versions prior to 3.3.0.beta3 on the tests-passed branch **Description** The issue affects Discourse, an open-source discussion platform, where Oneboxing against a carefully crafted malicious URL can reduce the availability of a Discourse instance. This is due to improper input validation, posing risks to data integrity. There are no known workarounds available for this issue. **Recommendations** For Discourse versions prior to 3.2.3 on the stable branch, update to version 3.2.3 or later. For Discourse versions prior to 3.3.0.beta3 on the tests-passed branch, update to version 3.3.0.beta3 or later.

**Name of the Vulnerable Software and Affected Versions** Werkzeug versions prior to 3.0.3 **Description** The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger. **Recommendations** For versions prior to 3.0.3, update to version 3.0.3 to resolve the issue. As a temporary workaround, consider restricting access to the debugger or disabling it until the update is applied. Avoid using the debugger on untrusted or public networks, and ensure that the debugger PIN is not easily guessable.

**Name of the Vulnerable Software and Affected Versions** PHP versions prior to 8.1.29, prior to 8.2.20, and prior to 8.3.8 GHC versions 9.6.5, 9.8.3, and 9.10.1-alpha3 **Description** A command injection vulnerability exists in PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, and 8.3.* before 8.3.8 when using the `proc open()` function with array syntax. Insufficient escaping allows a malicious user to supply arguments that can execute arbitrary commands in the Windows shell. This vulnerability also affects the *process* library on Windows, where the `cmd.exe` interpreter is susceptible to command injection when executing `.bat` or `.cmd` files with arguments influenced by program input. The `CreateProcess` function implicitly spawns `cmd.exe` without proper escaping of special characters, leading to potential command injection. The initial fix for CVE-2024-1874 does not fully address the issue if the command name includes trailing spaces. The `RawCommand` constructor serializes the executable name and arguments into a single command line string, which is then passed to the `CreateProcess` function. **Recommendations** Upgrade PHP to version 8.1.29 or later. Upgrade PHP to version 8.2.20 or later. Upgrade PHP to version 8.3.8 or later. Upgrade the *process* library to version 1.6.19.0 or later. Upgrade GHC to version 9.6.5 or later. Upgrade GHC to version 9.8.3 or later. Upgrade GHC to version 9.10.1-alpha3 or later. Avoid executing batch files with arguments derived from untrusted input. If batch file execution is necessary with untrusted input, reject arguments containing special characters like `&` and `"` to mitigate the risk.

**Name of the Vulnerable Software and Affected Versions** Rust versions prior to 1.77.2 **Description** A critical security flaw in the Rust standard library could be exploited to target Windows users and stage command injection attacks. The vulnerability allows attackers to execute arbitrary shell commands by bypassing the escaping of arguments when invoking batch files on Windows using the `Command` API. The severity of this vulnerability is critical for those who invoke batch files on Windows with untrusted arguments. No other platform or use is affected. The `Command::arg` and `Command::args` APIs state in their documentation that the arguments will be passed to the spawned process as-is, regardless of the content of the arguments, and will not be evaluated by a shell. However, on Windows, the implementation is more complex due to the Windows API only providing a single string containing all the arguments to the spawned process. The standard library implements custom escaping for arguments passed to batch files, but it was reported that this escaping logic was not thorough enough, allowing malicious arguments to result in arbitrary shell execution. **Recommendations** To resolve the issue, update to Rust 1.77.2 or later. If you are using a version prior to 1.77.2, consider disabling the execution of batch files or restricting the use of the `Command` API until a patch is available. Additionally, be cautious when passing untrusted input as arguments to the `Command` API, as this could lead to command injection attacks. If you implement the escaping yourself or only handle trusted inputs on Windows, you can also use the `CommandExt::raw arg` method to bypass the standard library's escaping logic.

**Name of the Vulnerable Software and Affected Versions** Argo CD versions 1.0.0 through 2.10.2 Argo CD versions 1.0.0 through 2.9.7 Argo CD versions 1.0.0 through 2.8.11 **Description** Due to the improper URL protocols filtering of links specified in the `link.argocd.argoproj.io` annotations in the application summary component, an attacker can achieve cross-site scripting with elevated permissions. This allows a malicious user to inject a javascript: link in the UI, which will execute with the victim's permissions (up to and including admin) when clicked. The vulnerability enables an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources. **Recommendations** For Argo CD versions 1.0.0 through 2.10.2, upgrade to version 2.10.3 or later. For Argo CD versions 1.0.0 through 2.9.7, upgrade to version 2.9.8 or later. For Argo CD versions 1.0.0 through 2.8.11, upgrade to version 2.8.12 or later. As a temporary workaround, consider creating a Kubernetes admission controller to reject any resources with an annotation starting with `link.argocd.argoproj.io` or reject the resource if the value uses an improper URL protocol. This validation will need to be applied in all clusters managed by ArgoCD.

**Name of the Vulnerable Software and Affected Versions** RSSHub versions 1.0.0-master.cbbd829 through 1.0.0-master.d8ca915 **Description** RSSHub is an open source RSS feed generator. When a specially crafted image is supplied to the internal media proxy, it proxies the image without handling XSS vulnerabilities, allowing for the execution of arbitrary JavaScript code. Users who access the deliberately constructed URL are affected. **Recommendations** For versions 1.0.0-master.cbbd829 through 1.0.0-master.d8ca915, please upgrade to version 1.0.0-master.d8ca915 or a later version to fix the issue. As a temporary workaround, consider restricting access to the internal media proxy until a patch is applied.