Unhingedazrael

**Name of the Vulnerable Software and Affected Versions** CosmodiumCS OnlyRAT versions prior to 3.3 **Description** A vulnerability exists in CosmodiumCS OnlyRAT. The `connect/remote upload/remote download` function within the `main.py` file of the Configuration File Handler component is affected. Manipulation of the `configuration["PASSWORD"]` argument can lead to OS command injection. The attack requires a local approach and is considered difficult to exploit. The exploit is publicly available. The vendor was contacted but did not respond. **Recommendations** Versions prior to 3.3: Address the OS command injection issue by sanitizing or validating the `configuration["PASSWORD"]` argument within the `connect/remote upload/remote download` function in the `main.py` file. As a temporary workaround, restrict access to the Configuration File Handler component.

Name of the Vulnerable Software and Affected Versions: Papermerge DMS versions through 3.5.3 Description: A security flaw exists in Papermerge DMS related to the Authorization Token Handler component. Manipulation of this component can lead to improper authorization. This issue can be exploited remotely, and the exploit has been publicly released. The vendor was notified but did not respond. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.