Federico Muttis

**Name of the Vulnerable Software and Affected Versions** libpurple versions 2.5.9 and earlier **Description** The issue is related to the `msn slplink process msg` function in libpurple, which allows remote attackers to execute arbitrary code or cause a denial of service by sending multiple crafted SLP messages. This can lead to memory corruption and application crash, compromising the confidentiality, integrity, and availability of protected information. The exploitation can be carried out remotely. **Recommendations** For libpurple versions 2.5.9 and earlier, consider updating to a version later than 2.5.9 to resolve the issue. As a temporary workaround, restrict the use of the `msn slplink process msg` function until a patch is available. Additionally, be cautious when receiving SLP messages to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** vBulletin versions 3.6.10 PL3 through 3.7.2 PL1 **Description** A cross-site scripting issue exists when the "Show New Private Message Notification Pop-Up" feature is enabled, allowing remote authenticated users to inject arbitrary web script or HTML via a private message subject, referred to as `newpm[title]`. **Recommendations** For versions 3.6.10 PL3 through 3.7.2 PL1, consider disabling the "Show New Private Message Notification Pop-Up" feature to mitigate the risk of exploitation.