Cedric Cochin

**Name of the Vulnerable Software and Affected Versions** Windows Server 2016 Windows 10 **Description** The issue is related to an elevation of privilege vulnerability in Microsoft Cortana, which allows arbitrary website browsing on the lockscreen. This is due to insufficient access restrictions in the virtual voice assistant Cortana in Windows operating systems. The exploitation of this issue may allow an attacker to elevate their privileges. **Recommendations** For Windows Server 2016 and Windows 10, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Windows 10 (affected versions not specified) Windows 10 Servers (affected versions not specified) **Description** An Elevation of Privilege issue exists due to Cortana retrieving data from user input services without considering status. This allows attackers to affect the system. There is no information provided about the estimated number of potentially affected devices worldwide or details about real-world incidents where this issue was exploited. **Recommendations** For Windows 10 and Windows 10 Servers, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** phpGraphy versions 0.9.9a and earlier **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via EXIF data, such as the Camera Model Tag. This could potentially lead to unauthorized actions on the affected system. **Recommendations** For phpGraphy versions 0.9.9a and earlier, update to a version later than 0.9.9a to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** PhotoPost PHP Pro version 5.1 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via EXIF data, such as the Camera Model Tag. **Recommendations** For PhotoPost PHP Pro version 5.1, update to a version that fixes this issue to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** YaPig versions 0.95 and earlier **Description** The issue allows remote attackers to inject arbitrary web script or HTML via EXIF data, such as the Camera Model Tag, due to a cross-site scripting (XSS) vulnerability. **Recommendations** For versions 0.95 and earlier, update to a version later than 0.95 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Gallery versions 1.5.1-RC2 and earlier **Description** A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML via EXIF data, such as the `Camera Model Tag`. **Recommendations** For Gallery versions 1.5.1-RC2 and earlier, consider disabling the processing of EXIF data until a patch is available. Restrict access to the EXIF data parsing module to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: phpMyAdmin versions 2.6.0-pl2 and earlier Description: The issue allows remote attackers to inject arbitrary web script or HTML via several parameters and components, including the `PmaAbsoluteUri` parameter, the `zero rows` parameter in `read dump.php`, the confirm form, or an error message generated by the internal phpMyAdmin parser. Recommendations: For phpMyAdmin versions 2.6.0-pl2 and earlier, update to a version later than 2.6.0-pl2 to resolve the issue.