Juan Pablo Lopez Yacubian

**Nome do software vulnerável e versões afetadas** Cliente Nextcloud Desktop versão 2.6.4 **Descrição** Um erro de cross-site scripting no cliente Nextcloud Desktop permitia que um invasor apresentasse qualquer código HTML, incluindo links locais, ao responder com dados inválidos durante uma tentativa de login. **Recomendações** Para o cliente Nextcloud Desktop versão 2.6.4, atualize para uma versão mais recente que contenha uma correção para este problema. No momento, não há informações sobre uma versão mais recente que contenha uma correção para esta vulnerabilidade.

**Name of the Vulnerable Software and Affected Versions** Quest KACE versions prior to 8.0.x Quest KACE versions prior to 8.1.x Quest KACE versions prior to 9.0.x **Description** The issue allows unintentional access to the appliance by leveraging functions of the troubleshooting tools located in the administrator user interface. **Recommendations** For versions prior to 8.0.x, update to version 8.0.x or later. For versions prior to 8.1.x, update to version 8.1.x or later. For versions prior to 9.0.x, update to version 9.0.x or later.

**Name of the Vulnerable Software and Affected Versions** Apple Safari version 5.0.6 and earlier on Windows **Description** The issue is related to re-entrancy problems in ImageIO, allowing remote attackers to execute arbitrary code or cause a denial of service via a crafted TIFF file. **Recommendations** For Apple Safari version 5.0.6 and earlier on Windows, update to version 5.0.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** RealPlayer versions 11.0 through 11.1 RealPlayer versions 14.0.x prior to 14.0.2 RealPlayer SP versions 1.0 through 1.1.5 **Description** The issue is related to a heap-based buffer overflow in the vidplin.dll component, which can be exploited by remote attackers through a crafted header in an AVI file, allowing them to execute arbitrary code. **Recommendations** For RealPlayer versions 11.0 through 11.1, update to a version outside of this range to resolve the issue. For RealPlayer versions 14.0.x prior to 14.0.2, update to version 14.0.2 or later. For RealPlayer SP versions 1.0 through 1.1.5, update to a version outside of this range to mitigate the risk.

Name of the Vulnerable Software and Affected Versions: Mozilla Firefox versions prior to 3.0.14 Mozilla Firefox versions 3.5.x prior to 3.5.3 Description: A visual truncation issue allows remote attackers to trigger a vertical scroll and spoof URLs via unspecified Unicode characters with a tall line-height property. Recommendations: For versions prior to 3.0.14, update to version 3.0.14 or later. For versions 3.5.x prior to 3.5.3, update to version 3.5.3 or later.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 3.0.13 Mozilla Firefox versions 3.5.x prior to 3.5.2 **Description** The issue allows remote attackers to spoof the address bar, and possibly conduct phishing attacks. This can be achieved via a crafted web page that calls `window.open` with an invalid character in the URL, makes `document.write` calls to the resulting object, and then calls the `stop` method during the loading of the error page. **Recommendations** For Mozilla Firefox versions prior to 3.0.13, update to version 3.0.13 or later. For Mozilla Firefox versions 3.5.x prior to 3.5.2, update to version 3.5.2 or later.

**Name of the Vulnerable Software and Affected Versions** Symbian OS (affected versions not specified) **Description** The issue concerns a denial of service that can be triggered in the web browser of Symbian OS. This can happen when JavaScript code calls the `setAttributeNode` method, causing the browser to crash. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Pidgin version 2.4.1 libpurple-devel versions 2.5.2 and earlier libpurple-tcl versions 2.5.2 and earlier libpurple versions 2.5.2 and earlier **Description** The issue allows remote attackers to cause a denial of service, potentially leading to a crash, by sending a message with a long filename containing certain characters. This can be triggered in the `msn slplink process msg` function. Multiple vulnerabilities in the libpurple package can lead to violations of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited remotely. **Recommendations** For Pidgin version 2.4.1, consider updating to a newer version to mitigate the risk. For libpurple-devel versions 2.5.2 and earlier, restrict access to the `msn slplink process msg` function until a patch is available. For libpurple-tcl versions 2.5.2 and earlier, avoid using the vulnerable libpurple-tcl package until the issue is resolved. For libpurple versions 2.5.2 and earlier, disable the vulnerable functions temporarily to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Novell GroupWise version 7 **Description** A buffer overflow issue allows remote attackers to cause a denial of service or execute arbitrary code via a long argument in a `mailto:` URI. **Recommendations** For Novell GroupWise version 7, update to a version that includes a fix for this issue to prevent potential exploitation.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox version 3.0 beta 5 **Description** The issue allows remote attackers to cause a denial of service, resulting in an application crash. This is achieved through JavaScript code that calls `document.write` in an infinite loop. **Recommendations** For Mozilla Firefox version 3.0 beta 5, consider disabling JavaScript as a temporary workaround until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Apple Safari version 3.1.1 **Description** The issue allows remote attackers to cause a denial of service, resulting in an application crash, by utilizing JavaScript code that calls `document.write` in an infinite loop. **Recommendations** For Apple Safari version 3.1.1, consider disabling JavaScript execution until a patch is available to prevent potential crashes caused by infinite loops in `document.write` calls.

**Name of the Vulnerable Software and Affected Versions** SmarterTools SmarterMail Enterprise version 4.3 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via a STYLE attribute of an element in the Subject field of an e-mail message. **Recommendations** For SmarterTools SmarterMail Enterprise version 4.3, consider disabling the ability to include STYLE attributes in the Subject field of e-mail messages as a temporary workaround until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Microsoft Office Publisher (affected versions not specified) **Description** The issue involves multiple unspecified vulnerabilities that allow user-assisted remote attackers to cause a denial of service, resulting in an application crash. This can be achieved via a crafted PUB file, possibly involving wordart. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Rosoft Media Player versions 4.1.7 through 4.1.8 Rosoft Media Player versions prior to 4.1.7 **Description** The issue allows remote attackers to execute arbitrary code or cause a denial of service via a long string in a .M3U file. **Recommendations** For Rosoft Media Player versions 4.1.7 and 4.1.8, update to a version that fixes this issue. For Rosoft Media Player versions prior to 4.1.7, update to a version that fixes this issue. As a temporary workaround, consider avoiding the use of .M3U files with long strings until a patch is available.