Zuhairorzaki

**Name of the Vulnerable Software and Affected Versions** CKAN versions prior to 2.9.11 CKAN versions prior to 2.10.4 **Description** A user endpoint didn't perform filtering on an incoming parameter, which was added directly to the application log. This could lead to an attacker injecting false log entries or corrupt the log file format. The issue is related to the `/user/reset` endpoint and the `id` parameter. **Recommendations** For CKAN versions prior to 2.9.11, upgrade to version 2.9.11 or later. For CKAN versions prior to 2.10.4, upgrade to version 2.10.4 or later. As a temporary workaround for users unable to upgrade, override the "/user/reset" endpoint to filter the `id` parameter in order to exclude newlines.

**Name of the Vulnerable Software and Affected Versions** MSS (Mission Support System) versions prior to 8.3.3 **Description** MSS is an open source package designed for planning atmospheric research flights. The issue concerns a method in the `index.py` file that is vulnerable to path manipulation attacks. An attacker can modify file paths to acquire sensitive information from different resources by assigning a value containing ../ to the `filename` variable. This allows the attacker to manipulate the file being read and potentially gain access to other files on the host filesystem. **Recommendations** For MSS versions prior to 8.3.3, upgrade to version 8.3.3 to address the issue. As a temporary workaround, consider restricting access to the `filename` variable to prevent path manipulation attacks. Additionally, restrict access to sensitive files and resources to minimize the risk of exploitation.