Diego García

**Nome do software vulnerável e versões afetadas** Agente Palo Alto Networks Cortex XDR (versões afetadas não especificadas) **Descrição** Um problema de resolução de links incorreta no agente Palo Alto Networks Cortex XDR em dispositivos Windows permite que um invasor local leia arquivos no sistema com privilégios elevados ao gerar um arquivo de suporte técnico. **Recomendações** No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.

**Name of the Vulnerable Software and Affected Versions** PivotX versions prior to 2.3.9 **Description** The issue allows remote authenticated users to inject arbitrary web script or HTML via specific fields, including the title field to certain template files, an event field, email field, or nickname field. This can be achieved by accessing specific endpoints, such as `objects.php` or `pages.php`, and manipulating the `title`, `event`, `email`, or `nickname` fields. **Recommendations** For PivotX versions prior to 2.3.9, update to version 2.3.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the `templates internal/pages.tpl`, `templates internal/home.tpl`, `templates internal/entries.tpl`, and `templates internal/users.tpl` templates, as well as limiting input to the `title`, `event`, `email`, and `nickname` fields in `objects.php` and `pages.php`.

**Name of the Vulnerable Software and Affected Versions** PivotX versions prior to 2.3.9 **Description** The issue allows remote authenticated users to execute arbitrary PHP code by uploading a file with a `.php` or `.php#` extension. This can be achieved by accessing the uploaded file via unspecified vectors. **Recommendations** For versions prior to 2.3.9, update to version 2.3.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the `fileupload.php` script to prevent unauthorized file uploads. Additionally, avoid using the file upload feature until the issue is resolved.