Xs1Kveroa

**Name of the Vulnerable Software and Affected Versions** Dokploy versions prior to 0.28.9 **Description** Dokploy is a free, self-hostable Platform as a Service (PaaS). An authenticated OS command injection exists in the '/listen-deployment' WebSocket endpoint, which allows any organization member to execute arbitrary system commands on remote servers managed by the platform, potentially leading to full server compromise. **Recommendations** Update to a version later than 0.28.8. As a temporary workaround, restrict access to the '/listen-deployment' WebSocket endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Dokploy versions prior to 0.28.9 **Description** Dokploy is a free, self-hostable Platform as a Service (PaaS). An OS command injection exists in the 'application.updateTraefikConfig' tRPC endpoint, which allows authenticated users with admin or owner privileges to execute arbitrary system commands on remote servers. This occurs due to unsanitized echo shell interpolation. **Recommendations** Update to a version later than 0.28.8.

**Name of the Vulnerable Software and Affected Versions** ProFTPD versions prior to 1.3.9a 7666224 **Description** A SQL injection issue exists in the `sqltab fetch clients cb()` function within `contrib/mod wrap2 sql.c`. When the "UseReverseDNS on" setting is enabled, a remote attacker can inject arbitrary SQL commands by using a crafted domain name during a reverse DNS lookup, as the hostname is passed into SQL queries without being escaped. The exploitability of this issue may be limited by the character restrictions inherent to DNS names. **Recommendations** Update to version 1.3.9a 7666224 or later. Disable the "UseReverseDNS" setting to prevent the processing of reverse DNS lookups.