Yuexi Zhang

**Name of the Vulnerable Software and Affected Versions** netbird version 0.28.4 **Description** The issue concerns a static initialization vector (IV) used in the encrypt function, allowing attackers to obtain sensitive information. This static IV is utilized in the github.com/netbirdio/netbird code. **Recommendations** For netbird version 0.28.4, update to a version that addresses the static initialization vector issue in the encrypt function to prevent attackers from obtaining sensitive information. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Navidrome version 0.52.3 **Description** The issue concerns the use of an insecure hashing algorithm, specifically MD5, in the Gravatar service of Navidrome. This allows attackers to manipulate a user's account information. **Recommendations** For Navidrome version 0.52.3, consider disabling the use of the MD5 hashing algorithm in the Gravatar service until a secure alternative is implemented. Restrict access to account information to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** casdoor version 1.636.0 **Description** An issue in casdoor allows attackers to obtain sensitive information via the `ssh.InsecureIgnoreHostKey()` method, which disables host key verification. This method is used in github.com/casdoor/casdoor. **Recommendations** For casdoor version 1.636.0, consider disabling the use of the `ssh.InsecureIgnoreHostKey()` method to prevent host key verification bypass until a patch is available. Restrict access to sensitive information to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** cortex version 0.42.1 **Description** A TLS certificate verification issue allows attackers to obtain sensitive information via the `makeOperatorRequest` function. This is due to cortex establishing TLS connections with the `InsecureSkipVerify` variable set to `true`. **Recommendations** For cortex version 0.42.1, consider disabling the `makeOperatorRequest` function until a patch is available, and restrict the use of `InsecureSkipVerify` to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** beego versions 2.2.0 and earlier **Description** The issue allows a remote attacker to escalate privileges via the `getCacheFileName` function in the `file.go` file. **Recommendations** For beego versions 2.2.0 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** mmudb version 1.9.3 **Description** The issue concerns the use of the HTTP protocol in the `ShowMetricsRaw` and `ShowMetricsAsText` functions, which could allow attackers to intercept communications via a man-in-the-middle attack. **Recommendations** For mmudb version 1.9.3, consider disabling the `ShowMetricsRaw` and `ShowMetricsAsText` functions until a patch is available that utilizes a secure protocol, such as HTTPS, to encrypt communications and prevent interception. Restrict access to these functions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** beego versions 2.2.0 and earlier **Description** An issue in beego allows a remote attacker to escalate privileges via the `sendMail` function located in the `beego/core/logs/smtp.go` file. **Recommendations** For beego versions 2.2.0 and earlier, consider disabling the `sendMail` function as a temporary workaround until a patch is available. Restrict access to the `beego/core/logs/smtp.go` file to minimize the risk of exploitation.