Blaklis

**Name of the Vulnerable Software and Affected Versions** Combodo iTop versions prior to 2.7.8 Combodo iTop versions prior to 3.0.2-1 **Description** The issue allows a user who can log in to take over any account by knowing the account's username. **Recommendations** For versions prior to 2.7.8, update to version 2.7.8 or later. For versions prior to 3.0.2-1, update to version 3.0.2-1 or later.

**Name of the Vulnerable Software and Affected Versions** Combodo iTop versions prior to 2.7.8 Combodo iTop versions prior to 3.0.2-1 **Description** Combodo iTop is an open source, web-based IT service management platform. The reset password token is generated without any randomness parameter, which may lead to account takeover. **Recommendations** For versions prior to 2.7.8, update to version 2.7.8 or later to resolve the issue. For versions prior to 3.0.2-1, update to version 3.0.2-1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Dompdf version 2.0.1 Dompdf versions prior to 8.0.0 **Description** The issue is related to the incorrect order of authorization checks before syntax analysis and canonization when processing `<image>` tags with uppercase letters in SVG parsing. This can allow a remote attacker to delete arbitrary files or execute arbitrary code. The vulnerability can be exploited by providing a specially crafted SVG file to Dompdf, which can lead to arbitrary object unserialization on PHP versions prior to 8.0.0 through the `phar` URL wrapper. The estimated impact includes arbitrary file deletion and potential remote code execution, depending on the available classes. **Recommendations** For Dompdf version 2.0.1, consider updating to a newer version that includes the fix for this issue. For Dompdf versions prior to 8.0.0, update to version 8.0.0 or later to mitigate the risk of arbitrary object unserialization. As a temporary workaround, consider disabling the processing of `<image>` tags in SVG files or restricting access to the `phar` URL wrapper until a patch is available. Restrict access to the `Image/Cache.php` file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Drupal versions 7.x through 8.x **Description** A remote code execution issue exists within multiple subsystems of Drupal. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. The issue is related to Drupal core and is being exploited in the wild. **Recommendations** For versions 7.x and 8.x, update to a version that includes the fix for this issue to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.