Francisco Amato

**Name of the Vulnerable Software and Affected Versions** Apple iTunes versions prior to 10.5.1 **Description** The issue allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update. This can be achieved by exploiting the lack of proper verification of update authenticity, potentially through techniques such as DNS cache poisoning. **Recommendations** For versions prior to 10.5.1, update to version 10.5.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Novell GroupWise versions prior to 6.5.7 **Description** The issue is related to a stack-based buffer overflow that occurs when the HTML preview of e-mail is enabled. This allows remote attackers to execute arbitrary code via a long SRC attribute in an IMG element when forwarding or replying to a crafted e-mail. **Recommendations** For versions prior to 6.5.7, update to version 6.5.7 or later to resolve the issue. As a temporary workaround, consider disabling the HTML preview of e-mail to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GroupWise versions 6.5.3 and possibly earlier **Description** The issue is related to an integer overflow in the registry parsing code, which can be exploited by remote attackers to cause a denial of service, resulting in an application crash. This can be achieved by specifying a large TCP/IP port in the Windows registry key. **Recommendations** For GroupWise version 6.5.3 and possibly earlier, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Novell GroupWise version 6.5 **Description** The issue is related to a buffer overflow that allows remote attackers to execute arbitrary code. This is achieved by using a GWVW02xx.INI language file with a long entry. Specifically, a long ES02TKS.VEW value in the Group Task section can be used to demonstrate this issue. **Recommendations** For Novell GroupWise version 6.5, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Novell Groupwise WebAccess version 6.5 Description: A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML via an e-mail message with an encoded javascript URI, such as "j&#X41vascript" in an IMG tag. Recommendations: For Novell Groupwise WebAccess version 6.5, update to a version released after July 11, 2005 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Novell iChain Mini FTP Server versions 2.3 and earlier **Description** The issue allows remote attackers to conduct brute force login attacks due to the lack of limitation on the number of incorrect logins. **Recommendations** For Novell iChain Mini FTP Server versions 2.3 and earlier, consider implementing a workaround to limit the number of incorrect login attempts to prevent brute force attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Novell iChain Mini FTP Server version 2.3 **Description** The issue allows remote attackers to obtain sensitive information and facilitates brute force attacks by displaying different error messages based on whether a user exists or not. **Recommendations** For Novell iChain Mini FTP Server version 2.3, consider modifying the error messages to be more generic, avoiding the disclosure of sensitive information about user existence. As a temporary workaround, restrict access to the FTP server to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Novell iChain versions 2.2 through 2.3 SP2 **Description** The issue allows remote unauthenticated attackers to obtain the full path of the server. This is achieved via the PWD command in the Mini FTP server. **Recommendations** For Novell iChain versions 2.2 through 2.3 SP2, consider restricting access to the Mini FTP server until a fix is available. As a temporary workaround, disabling the PWD command in the Mini FTP server may help minimize the risk of exploitation.