Alex Vandiver

**Nome do software vulnerável e versões afetadas** Versões do Apache CouchDB anteriores à 3.2.2 **Descrição** O problema diz respeito a uma instalação padrão do Apache CouchDB com segurança inadequada, permitindo que um invasor acesse o sistema sem autenticação e obtenha privilégios de administrador. A documentação do CouchDB recomenda proteger adequadamente a instalação, incluindo o uso de um firewall na frente de todas as instalações do CouchDB. Estima-se que um número significativo de instalações possa estar vulnerável, com relatórios sugerindo cerca de 80.000 resultados de uma consulta no ZoomEye e mais de 1.500 resultados de uma pesquisa no Shodan. **Recomendações** Para versões do Apache CouchDB anteriores à 3.2.2, atualize para a versão 3.2.2 ou posterior para resolver o problema. Como solução temporária, considere usar um firewall na frente da instalação do CouchDB para restringir o acesso e minimizar o risco de exploração. Além disso, siga as recomendações da documentação do CouchDB para proteger adequadamente a instalação.

**Name of the Vulnerable Software and Affected Versions** Jifty::DBI versions prior to 0.68 **Description** The issue is related to a SQL injection vulnerability. **Recommendations** For versions prior to 0.68, update to version 0.68 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Email::Address::List versions prior to 0.02 RT versions 4.2.0 through 4.2.2 **Description** The issue allows remote attackers to cause a denial of service, specifically CPU consumption, by providing a string without an address. This is related to an algorithmic complexity vulnerability. **Recommendations** For Email::Address::List versions prior to 0.02, update to version 0.02 or later. For RT versions 4.2.0 through 4.2.2, update to a version outside of this range or apply a patch that fixes the algorithmic complexity vulnerability in Email::Address::List.

**Name of the Vulnerable Software and Affected Versions** Request Tracker versions 4.0.0 through 4.0.12 RT-Extension-MobileUI extension version prior to 1.04 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the name of an attached file. **Recommendations** For Request Tracker versions 4.0.0 through 4.0.12, update the RT-Extension-MobileUI extension to version 1.04 or later. For RT-Extension-MobileUI extension version prior to 1.04, update to version 1.04 or later.

**Name of the Vulnerable Software and Affected Versions** Best Practical Solutions RT RTFM extension versions 2.0.4 through 2.4.3 rtfm package (affected versions not specified) **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities in the topic administration page of the RTFM extension, allowing remote attackers to inject arbitrary web script or HTML. This could lead to a breach of protected information integrity. The exploitation of these vulnerabilities can be done remotely. **Recommendations** For RTFM extension versions 2.0.4 through 2.4.3, consider disabling access to the topic administration page until a patch is available. As a temporary workaround, restrict the use of the RTFM extension to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Authen::ExternalAuth extension versions prior to 0.11 **Description** The issue allows remote attackers to obtain a logged-in session via unspecified vectors related to the "URL of a RSS feed of the user." **Recommendations** For versions prior to 0.11, update to version 0.11 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Best Practical Solutions RT versions 3.8.x through 4.0.5 Extension::MobileUI extension version 1.01 and earlier **Description** The issue allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, due to multiple cross-site scripting (XSS) vulnerabilities in the topic administration page. **Recommendations** For Best Practical Solutions RT versions 3.8.x through 4.0.5, update to version 4.0.6 or later. For Extension::MobileUI extension version 1.01 and earlier, update to version 1.02 or later.