Yuske

**Name of the Vulnerable Software and Affected Versions** Rocket.Chat server versions prior to 5.2.0 **Description** A prototype pollution issue exists that could allow an attacker to achieve remote code execution (RCE) under the admin account. This vulnerability may affect cloud infrastructure, as any user can create their own server and become an admin. Additionally, it may increase the impact of cross-site scripting (XSS) to RCE, posing a risk to self-hosted users. **Recommendations** For versions prior to 5.2.0, update to version 5.2.0 or later to resolve the issue. As a temporary workaround, consider restricting access to admin accounts and monitoring for suspicious activity.

**Name of the Vulnerable Software and Affected Versions** Git LFS versions 2.12.1 through 3.1.2 **Description** On Windows, if Git LFS operates on a malicious repository with a `..exe` file as well as a file named `git.exe`, and `git.exe` is not found in `PATH`, the `..exe` program will be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems. The vulnerability occurs because when Git LFS detects that the program it intends to run does not exist in any directory listed in `PATH`, then Git LFS passes an empty string as the executable file path to the Go `os/exec` package, which contains a bug such that, on Windows, it prepends the name of the current working directory (i.e., `.`) to the empty string without adding a path separator, and as a result searches in that directory for a file with the base name `.` combined with any file extension from `PATHEXT`, executing the first one it finds. **Recommendations** For Git LFS versions 2.12.1 through 3.1.2, upgrade to version 3.1.3 to resolve the issue. As a temporary workaround, consider ensuring that all intended programs are found in the `PATH` to prevent the execution of malicious files. Restrict access to the vulnerable `os/exec` package in the Go project until a patch is available.