Zhengyu Liu

**Name of the Vulnerable Software and Affected Versions** AFFiNE versions prior to 0.25.4 **Description** AFFiNE is an open-source workspace and operating system. Versions prior to 0.25.4 contain a one-click remote code execution issue. An attacker can exploit this by embedding a specially crafted `affine:` URL on a website. Exploitation occurs when a victim visits a malicious website that redirects to the URL, or clicks a crafted link on a legitimate website. This triggers the AFFiNE custom URL handler, launching the application and processing the URL, resulting in arbitrary code execution on the victim’s machine without further interaction. **Recommendations** Update to version 0.25.4 or later.

**Name of the Vulnerable Software and Affected Versions** cronoh NanoVault versions up to 1.2.1 **Description** A problematic issue exists in cronoh NanoVault due to a cross-site scripting condition. The issue affects the `executeJavaScript` function within the `/main.js` file of the xrb URL Handler component. This can be initiated remotely. The exploit has been publicly disclosed. **Recommendations** Versions prior to 1.2.1 should be updated. As a temporary workaround, consider restricting access to the `/main.js` file or disabling the xrb URL Handler component until a patch is available.

Name of the Vulnerable Software and Affected Versions: Hashview version 0.8.1 Description: The issue allows for account takeover via the password reset feature. This is because the `SERVER NAME` is not configured, causing the password reset to depend on the `Host` HTTP header. Recommendations: For Hashview version 0.8.1, configure the `SERVER NAME` to prevent the password reset feature from relying on the `Host` HTTP header. As a temporary workaround, consider restricting access to the password reset feature until the `SERVER NAME` is properly configured.

Name of the Vulnerable Software and Affected Versions: fblog versions through 983bede Description: The issue allows account takeover via the password reset feature because the `SERVER NAME` is not configured, causing the reset to depend on the `Host` HTTP header. Recommendations: For versions through 983bede, configure the `SERVER NAME` to prevent the password reset feature from relying on the `Host` HTTP header. As a temporary workaround, consider restricting access to the password reset feature until the `SERVER NAME` is properly configured.

Name of the Vulnerable Software and Affected Versions: JobCenter versions through 7e7b0b2 Description: The issue allows for account takeover via the password reset feature. This is because the `SERVER NAME` is not configured, causing the password reset to depend on the `Host` HTTP header. Recommendations: For versions through 7e7b0b2, configure the `SERVER NAME` to prevent the password reset feature from relying on the `Host` HTTP header. As a temporary workaround, consider restricting access to the password reset feature until the `SERVER NAME` is properly configured.

Name of the Vulnerable Software and Affected Versions: flask-boilerplate versions through a170e7c Description: The issue allows account takeover via the password reset feature. This is because the `SERVER NAME` is not configured, and thus the password reset depends on the `Host` HTTP header. Recommendations: For versions through a170e7c, configure the `SERVER NAME` to prevent the password reset feature from depending on the `Host` HTTP header. As a temporary workaround, consider restricting access to the password reset feature until the `SERVER NAME` is properly configured.

**Name of the Vulnerable Software and Affected Versions** comfyanonymous comfyui version 0.3.40 **Description** A vulnerability was found in the function `set attr` of the file `/comfy/utils.py`, which can lead to dynamically-determined object attributes. The attack can be launched remotely, but it has a high complexity and is considered difficult to exploit. The exploit has been disclosed to the public. **Recommendations** For version 0.3.40, consider disabling the `set attr` function in the `/comfy/utils.py` file as a temporary workaround until a patch is available. Restrict access to the `/comfy/utils.py` file to minimize the risk of exploitation. Avoid using the `set attr` function remotely until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Redash versions up to 10.1.0/25.1.0 **Description** A critical issue affects the `run query` function of the `/query runner/python.py` file in the `getattr` Handler component, leading to a sandbox issue. The exploit has been disclosed publicly and may be used. The vendor was contacted about this disclosure but did not respond. **Recommendations** For Redash versions up to 10.1.0/25.1.0, as a temporary workaround, consider disabling the `run query` function until a patch is available. Restrict access to the `/query runner/python.py` file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** aimhubio aim versions up to 3.29.1 **Description** A critical vulnerability was found in the aimhubio aim software. This issue affects the `RestrictedPythonQuery` function of the `/aim/storage/query.py` file in the `run view Object Handler` component. The manipulation of the `Query` argument leads to a sandbox issue, which can be initiated remotely. The exploit has been disclosed to the public. **Recommendations** For aimhubio aim versions up to 3.29.1, as a temporary workaround, consider disabling the `RestrictedPythonQuery` function until a patch is available. Restrict access to the `run view Object Handler` component to minimize the risk of exploitation. Avoid using the `Query` argument in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** gradio-app gradio versions up to 5.29.1 **Description** A problematic vulnerability has been found in the CORS Handler component, specifically affecting the `is valid origin` function. The issue arises from the manipulation of the `localhost aliases` argument, leading to an origin validation error. This vulnerability can be exploited remotely, with a relatively high complexity of attack and difficult exploitability. The exploit has been publicly disclosed. **Recommendations** For versions up to 5.29.1, as a temporary workaround, consider restricting the use of the `is valid origin` function in the CORS Handler component until a patch is available. Additionally, be cautious when using the `localhost aliases` argument to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zylon PrivateGPT versions up to 0.6.2 **Description** A problematic issue was found in Zylon PrivateGPT, affecting an unknown part of the file settings.yaml. The manipulation of the `allow origins` argument leads to a permissive cross-domain policy with untrusted domains. It is possible to initiate the attack remotely. **Recommendations** For Zylon PrivateGPT versions up to 0.6.2, as a temporary workaround, consider restricting the `allow origins` argument to trusted domains until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** nortikin Sverchok version 1.3.0 **Description** A problematic issue was found in the function `SvSetPropNodeMK2` of the file `sverchok/nodes/object nodes/getsetprop mk2.py` of the component Set Property Mk2 Node. This issue leads to improperly controlled modification of object prototype attributes, also known as 'prototype pollution'. The attack can be launched remotely. The exploit has been publicly disclosed. **Recommendations** For nortikin Sverchok version 1.3.0, as a temporary workaround, consider disabling the `SvSetPropNodeMK2` function until a patch is available. Restrict access to the Set Property Mk2 Node component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Azure Command Line Integration (CLI) (affected versions not specified) Description: The issue is related to improper neutralization of special elements used in a command, also known as 'command injection', in Azure Command Line Integration (CLI). This allows an unauthorized attacker to elevate privileges locally. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.