Alfredo Pesoli

**Name of the Vulnerable Software and Affected Versions** Mac OS X versions 10.4.11 through 10.5.7 **Description** A format string issue in the Login Window of Mac OS X allows attackers to execute arbitrary code or cause an application crash via format string specifiers in an application name. **Recommendations** For Mac OS X version 10.4.11, update to a version later than 10.4.11. For Mac OS X versions prior to 10.5.8, update to version 10.5.8 or later.

**Name of the Vulnerable Software and Affected Versions** ContentNow versions 1.39 and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands via the `pageid` parameter in index.php. This can also be leveraged for path disclosure with an invalid `pageid` parameter. **Recommendations** For ContentNow versions 1.39 and earlier, avoid using the `pageid` parameter in the affected index.php file until a fix is available. As a temporary workaround, consider restricting access to the index.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Etomite version 0.6.1.2 **Description** The issue allows remote authenticated administrators to include and execute arbitrary local files via a .. (dot dot) in the `f` parameter. This can be demonstrated by injecting PHP sequences into an Apache HTTP Server log file, which is then included by index.php. **Recommendations** For Etomite version 0.6.1.2, consider restricting access to the `f` parameter in the manager/index.php file to prevent directory traversal attacks. As a temporary workaround, restrict the ability of administrators to include local files using the .. (dot dot) sequence in the `f` parameter until a patch is available.