Yuvalo1212

**Name of the Vulnerable Software and Affected Versions** n8n versions prior to 2.10.1 n8n versions prior to 2.9.3 n8n versions prior to 1.123.22 **Description** n8n, an open source workflow automation platform, contains a critical Remote Code Execution (RCE) issue in its workflow expression evaluation system. An authenticated user with permission to create or modify workflows can exploit crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n. Successful exploitation could lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. The issue stems from insufficient isolation of the expression evaluation context from the underlying runtime. **Recommendations** Upgrade to n8n version 2.10.1 or later. Upgrade to n8n version 2.9.3 or later. Upgrade to n8n version 1.123.22 or later. As a temporary workaround, limit workflow creation and editing permissions to fully trusted users only. As a temporary workaround, deploy n8n in a hardened environment with restricted operating system privileges and network access.

**Name of the Vulnerable Software and Affected Versions** Cursor versions prior to 0.42 **Description** The issue allows an attacker with control over a malicious web page to influence a language model to output arbitrary commands for execution in the user's terminal. This scenario requires the user to explicitly opt-in to including the contents of a compromised webpage and the attacker to display prompt injection text in the contents of the compromised webpage. A server-side patch was released on September 27, 2024, to prevent the streaming of newlines or control characters. **Recommendations** For versions prior to 0.42, no additional action is needed as the patch has been applied server-side. For all versions, it is recommended to set the `"cursor.terminal.usePreviewBox"` setting to true to stream responses into a preview box, which requires manual acceptance before being inserted into the terminal. As a best practice, only include trusted pieces of context in prompts.