Tonghuaroot

**Name of the Vulnerable Software and Affected Versions** undici versions 7.23.0 through 7.27.x undici versions 8.0.0 through 8.4.x **Description** The ProxyAgent in undici silently drops the `requestTls` option when configured with a SOCKS5 proxy URI (`socks5://` or `socks://`). This causes the target HTTPS connection through the SOCKS5 tunnel to fall back to the default Node.js trust store, ignoring user-defined settings such as `ca`, `cert`, `key`, `rejectUnauthorized`, and `servername`. Consequently, applications that rely on `requestTls.ca` to pin to an internal or corporate Certificate Authority (CA) will instead use the default Mozilla CA bundle. This allows any certificate signed by a publicly trusted CA for the target hostname to be accepted, enabling Man-in-the-Middle (MITM) attacks to read and tamper with the HTTPS exchange. **Recommendations** Upgrade to version 7.28.0. Upgrade to version 8.5.0. Route traffic through an HTTP-proxy ProxyAgent instead of a SOCKS5 proxy to ensure `requestTls` is honored correctly.

**Name of the Vulnerable Software and Affected Versions** tmp version 0.2.6 **Description** A type-confusion issue exists in the ` assertPath` guard. The guard only rejects string values containing the substring `..`, allowing it to be bypassed when `prefix`, `postfix`, or `template` are supplied as non-string values (such as Array, Buffer, or other objects). If these values return falsy for `includes('..')` but contain `../` upon stringification, they flow through `Array.prototype.join` or string coercion within ` generateTmpName` and `path.join(tmpDir, opts.dir, name)`. This results in a path traversal that escapes the temporary directory, enabling the creation of files or directories at attacker-controlled locations with the privileges of the host process. This occurs in applications that forward untrusted request data into the functions `tmp.file()`, `tmp.fileSync()`, `tmp.dir()`, `tmp.dirSync()`, `tmp.tmpName()`, or `tmp.tmpNameSync()` without explicit type coercion. **Recommendations** Update to version 0.2.7. As a temporary workaround, implement explicit type coercion for the `prefix`, `postfix`, and `template` variables before passing them to the affected functions.

**Name of the Vulnerable Software and Affected Versions** Vim versions prior to 9.2.0561 **Description** The Python omni-completion script in `python3complete.vim` (for builds with the +python3 interpreter enabled) and `pythoncomplete.vim` (for builds with the +python interpreter) executes import and from statements found in the current buffer using Python's import machinery. Since the buffer's working directory is included in `sys.path`, opening a malicious .py file that has a sibling Python package and triggering omni-completion allows the top-level code of that package to be executed with the privileges of the user editing the file. **Recommendations** Update to version 9.2.0561.

**Name of the Vulnerable Software and Affected Versions** Vim versions prior to 9.2.0597 **Description** Python omni-completion in the text editor executes reconstructed function and class definitions from the current buffer using the `exec()` function to populate the completion dictionary. Because Python evaluates class base expressions, parameter annotations, and function default values during definition, a malicious buffer can trigger the execution of attacker-controlled Python expressions during the omni-completion process. The `g:pythoncomplete allow import` mitigation is ineffective in this case as the executed code is not an import statement. **Recommendations** Update to version 9.2.0597.

**Name of the Vulnerable Software and Affected Versions** OpenEMR versions prior to 7.0.5 **Description** OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.5 contain a flaw in the `disposeDocument()` method within the EtherFaxActions.php file. This allows authenticated users to write arbitrary content to arbitrary locations on the server filesystem, potentially leading to Remote Code Execution (RCE) through the upload of malicious PHP web shells. The vulnerable method allows for the writing of files to the server. **Recommendations** Update OpenEMR to version 7.0.5 or later.

**Name of the Vulnerable Software and Affected Versions** OpenEMR versions prior to 7.0.4 **Description** OpenEMR is an open source electronic health records and medical practice management application. Prior to version 7.0.4, the `disposeDocument()` method in `EtherFaxActions.php` allows authenticated users to read arbitrary files from the server filesystem. Any authenticated user, regardless of privilege level, can exploit this to read sensitive files. The `disposeDocument()` function is vulnerable. **Recommendations** Update to version 7.0.4.

**Name of the Vulnerable Software and Affected Versions** Apache HertzBeat versions prior to 1.7.0 **Description** The issue is a Server-Side Request Forgery (SSRF) vulnerability. It affects the Api Config Oss. Users are recommended to upgrade to version 1.7.0 to fix the issue. **Recommendations** For versions prior to 1.7.0, upgrade to version 1.7.0 to resolve the issue. As a temporary workaround, consider restricting access to the Api Config Oss to minimize the risk of exploitation.