Zeroxjacks

**Name of the Vulnerable Software and Affected Versions** The product name cannot be determined (affected versions not specified) **Description** The `getInstance()` function within the `InputFilter` class fails to include a security-sensitive parameter when generating the instance cache key. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Joomla (affected versions not specified) **Description** The password and username reset features generate plain http links even when https connections are used, provided the "Force SSL" flag is not explicitly enabled. This leads to a transport encryption downgrade, where secure communications are reverted to an unencrypted state. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** python-utcp versions prior to 1.1.3 **Description** The ` prepare environment()` function in `cli communication protocol.py` passes a complete copy of `os.environ` to every CLI subprocess. This allows any environment variable in the host process, such as cloud provider credentials, database connection strings, and LLM API keys, to be accessible to injected commands. When combined with a command injection flaw in the ` substitute utcp args()` function, an attacker can exfiltrate all process-level secrets in a single tool call. **Recommendations** Update to version 1.1.3 or newer.

**Name of the Vulnerable Software and Affected Versions** python-utcp versions prior to 1.1.3 **Description** The ` substitute utcp args` method in `cli communication protocol.py` inserts user-controlled `tool args` values directly into shell command strings without sanitization or escaping. These commands are executed via `/bin/bash -c` on Unix or `powershell.exe -Command` on Windows, allowing an unauthenticated attacker to inject shell metacharacters such as `;`, `|`, `&`, backticks, and `$()` to achieve remote code execution on the host system. **Recommendations** Update to version 1.1.3 or newer. As a temporary workaround, refuse all attacker-controlled `tool args`.

**Name of the Vulnerable Software and Affected Versions** ONNX versions prior to 1.21.0 **Description** The ExternalDataInfo class in ONNX used Python’s `setattr()` function to load metadata from ONNX model files without validating the keys. This allowed an attacker to craft a malicious model that could overwrite internal object properties. Exploitation could lead to a denial-of-service (DoS) condition by causing excessive memory allocation, access bypass by reading unintended file parts, or object corruption through the injection of dunder attributes. **Recommendations** Update to ONNX version 1.21.0 or later.

Name of the Vulnerable Software and Affected Versions ONNX versions prior to 1.21.0 Description The Open Neural Network Exchange (ONNX) has an issue in the `onnx.load` function where the code checks for symbolic links to prevent path traversal but fails to account for hard links, as hard links appear as regular files on the filesystem. The validator in `onnx/checker.cc` only uses `is symlink()` and does not check the inode or `st nlink`, allowing hard links to bypass security checks. This could be particularly dangerous in AI supply chain scenarios. Recommendations Update to version 1.21.0 or later.

**Name of the Vulnerable Software and Affected Versions** AVideo versions up to and including 26.0 **Description** AVideo is an open source video platform. Versions up to and including 26.0 are affected by an issue where the `getRealIpAddr()` function in `objects/functions.php` relies on user-controlled HTTP headers to determine the client's IP address. An attacker can forge HTTP headers to spoof their IP address, potentially bypassing IP-based access controls and audit logging. The vulnerable function is `getRealIpAddr()`. The vulnerable file is `objects/functions.php`. **Recommendations** Update AVideo to a version later than 26.0. As a temporary workaround, consider restricting or disabling the use of the `getRealIpAddr()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Open Neural Network Exchange (ONNX) versions through 1.20.1 **Description** ONNX is an open standard for machine learning interoperability. A security control bypass exists in the `onnx.hub.load()` function due to flawed repository trust verification logic. The `silent=True` parameter suppresses security warnings and confirmation prompts, enabling Zero-Interaction Supply-Chain Attacks. When combined with file-system weaknesses, an attacker can silently exfiltrate sensitive files, such as SSH keys and cloud credentials, from a victim's machine when a model is loaded. The vulnerability stems from the short-circuit evaluation in `onnx/hub.py`, where the `silent` parameter overrides the trust requirement. The SHA256 integrity check is also susceptible because the attacker controls both the model files and the manifest used for verification. **Recommendations** For all versions up to and including 1.20.1, avoid using the `silent=True` parameter in `onnx.hub.load()`. As a temporary workaround, consider loading models from local files after manual verification. Compute SHA256 hashes independently instead of relying on the hub manifest. Audit your codebase for usages of `silent=True` with `grep -r "silent.*True" --include="*.py"`.

**Name of the Vulnerable Software and Affected Versions** jsPDF versions prior to 4.2.0 **Description** jsPDF is a JavaScript library used to generate PDFs. A flaw exists where user-controlled input to the `addImage` method can lead to denial of service. Specifically, providing a malicious GIF file with large width and/or height values in its header can cause excessive memory allocation, resulting in out-of-memory errors. The `html` method is also affected. An example attack vector involves using the `addImage` function with a crafted payload containing harmful GIF image data. The `addImage` function takes a payload as its first argument. **Recommendations** jsPDF versions prior to 4.2.0 should be upgraded to version 4.2.0 or later. As a workaround, sanitize image data or URLs before passing them to the `addImage` method or the `html` method.

**Name of the Vulnerable Software and Affected Versions** jsPDF versions prior to 4.2.0 **Description** jsPDF is a JavaScript library used to generate PDF documents. A flaw exists where user-controlled input to the `addJS` method allows an attacker to inject arbitrary PDF objects into generated documents. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure when a user opens the PDF. The `addJS` method is vulnerable because it lacks proper input sanitization, allowing attackers to break out of the intended JavaScript string context. This can lead to the execution of arbitrary JavaScript code within the PDF, potentially triggering actions like displaying alerts or manipulating the document content. The vulnerability can be exploited by injecting a malicious payload that closes the JavaScript string, closes the current dictionary, and then injects an "Additional Action" that executes when the PDF is focused or opened. The injected code can then perform actions such as displaying an alert message. **Recommendations** Upgrade to jsPDF version 4.2.0 or later. As a temporary workaround, escape parentheses in user-provided JavaScript code before passing it to the `addJS` method.

**Name of the Vulnerable Software and Affected Versions** AdonisJS versions prior to 10.1.3 AdonisJS versions prior to 11.0.0-next.9 **Description** A denial of service (DoS) issue exists in the multipart file handling logic of the @adonisjs/bodyparser package. The multipart parser may accumulate an unbounded amount of data in memory when attempting to detect file types, potentially leading to excessive memory consumption and process termination. **Recommendations** Update to AdonisJS version 10.1.3 or later. Update to AdonisJS version 11.0.0-next.9 or later.