Keigo Yamazaki

**Nome do software vulnerável e versões afetadas** awkblog versões 0.0.1 e anteriores **Descrição** Um invasor remoto não autenticado pode executar um comando arbitrário do sistema operacional com os privilégios do produto afetado, enviando uma solicitação HTTP especialmente criada. Essa vulnerabilidade permite a execução de comandos na máquina que executa o produto. **Recomendações** Para as versões 0.0.1 e anteriores, atualize para uma versão que corrija a vulnerabilidade de injeção de comando no sistema operacional. No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.

**Name of the Vulnerable Software and Affected Versions** i-FILTER versions 9.50R05 and earlier **Description** The issue allows remote attackers to inject arbitrary HTTP headers, potentially leading to HTTP response splitting attacks. This could result in arbitrary script injection or setting arbitrary cookie values. **Recommendations** For versions 9.50R05 and earlier, update to a version later than 9.50R05 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** i-FILTER versions prior to 9.50R05 **Description** A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML. **Recommendations** For versions prior to 9.50R05, update to a version later than 9.50R05 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** ASUS RT-AC87U Firmware versions prior to 3.0.0.4.378.9383 **Description** A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. **Recommendations** For versions prior to 3.0.0.4.378.9383, update to version 3.0.0.4.378.9383 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** QNAP QTS versions prior to 4.2.0 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML. **Recommendations** For versions prior to 4.2.0, update to version 4.2.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** RAKUS MailDealer versions 11.2.1 and earlier **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This vulnerability can be exploited by a remote attacker to inject arbitrary web script or HTML code. The exploitation can occur through a specially crafted attachment filename. **Recommendations** For RAKUS MailDealer versions 11.2.1 and earlier, update to a version that includes a fix for this issue. As a temporary workaround, consider restricting the handling of attachment filenames to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Usermin versions prior to 1.600 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML. **Recommendations** For versions prior to 1.600, update to version 1.600 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Olive Toast Documents Pro File Viewer (formerly Files HD) versions prior to 1.11.1 **Description** The issue is related to a cross-site scripting (XSS) vulnerability, which allows remote attackers to inject arbitrary web script or HTML. This can be achieved via unspecified vectors. **Recommendations** For versions prior to 1.11.1, update to version 1.11.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Olive Toast Documents Pro File Viewer (formerly Files HD) versions prior to 1.11.1 **Description** The issue allows remote attackers to read or delete files by leveraging guest access, due to a directory traversal vulnerability in the app. **Recommendations** For versions prior to 1.11.1, update to version 1.11.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** GoodReader app versions 3.16 and earlier for iOS on the iPad GoodReader app versions 3.15.1 and earlier for iOS on the iPhone and iPod touch **Description** The issue allows remote attackers to inject arbitrary web script or HTML via vectors involving use of the GoodReader app in conjunction with a web browser. This is a cross-site scripting (XSS) issue. **Recommendations** For GoodReader app versions 3.16 and earlier on the iPad, update to a version later than 3.16. For GoodReader app versions 3.15.1 and earlier on the iPhone and iPod touch, update to a version later than 3.15.1.

Name of the Vulnerable Software and Affected Versions: Safari versions prior to 3.0.4 on Windows and Mac OS X Safari in Apple iPhone version 1.1.1 Description: The issue allows remote attackers to alter or access HTTPS content via an HTTP session with a crafted web page that causes Javascript to be applied to HTTPS pages from the same domain. Recommendations: For Safari versions prior to 3.0.4 on Windows and Mac OS X, update to version 3.0.4 or later to resolve the issue. For Safari in Apple iPhone version 1.1.1, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Webmin versions prior to 1.280 **Description** A directory traversal issue allows remote attackers to read arbitrary files via backslash characters in the URL to certain directories under the web root, such as the image directory, when Webmin is run on Windows. **Recommendations** For versions prior to 1.280, update to version 1.280 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** XOOPS versions 2.0.12 JP and earlier XOOPS versions 2.0.13.1 and earlier XOOPS versions 2.2.x up to 2.2.3 RC1 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via modules that use "XOOPS Code" and newbb in the forum module, potentially leading to cross-site scripting (XSS) attacks. **Recommendations** For XOOPS versions 2.0.12 JP and earlier, update to a version later than 2.0.12 JP to resolve the issue. For XOOPS versions 2.0.13.1 and earlier, update to a version later than 2.0.13.1 to resolve the issue. For XOOPS versions 2.2.x up to 2.2.3 RC1, update to a version later than 2.2.3 RC1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Webmin versions prior to 1.230 Usermin versions prior to 1.160 **Description** The issue allows remote attackers to bypass authentication by spoofing session IDs via certain metacharacters, such as line feed or carriage return, when "full PAM conversations" is enabled. **Recommendations** For Webmin versions prior to 1.230, update to version 1.230 or later to resolve the issue. For Usermin versions prior to 1.160, update to version 1.160 or later to resolve the issue. As a temporary workaround, consider disabling the "full PAM conversations" feature until a patch is available.

Name of the Vulnerable Software and Affected Versions: nProtect:Netizen version 2005.3.17.1 Description: The issue arises from the software's failure to properly verify the authenticity of its update module, allowing remote malicious websites to write arbitrary files. Recommendations: For version 2005.3.17.1, consider restricting access to update modules to only authorized sites as a temporary workaround until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Microsoft Internet Explorer version 6.0 SP1 **Description** The issue arises from the improper handling of certain character strings in the Path attribute, allowing remote attackers to modify cookies in other domains. This can occur when the attacker's domain name is within the target's domain name or when wildcard DNS is being used, enabling the hijacking of web sessions. **Recommendations** For Microsoft Internet Explorer version 6.0 SP1, consider applying configuration changes to restrict cookie access to prevent session hijacking until a proper fix is available. As a temporary workaround, restrict the use of wildcard DNS to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Webmin version 1.140 **Description** A remote attacker can bypass access control rules and gain read access to configuration information for a module due to an unknown vulnerability in the software. **Recommendations** For Webmin version 1.140, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Webmin version 1.140 Usermin versions prior to 1.070-r1 **Description** The issue concerns the account lockout functionality, which does not properly parse certain character strings. This allows remote attackers to perform brute force attacks to guess user IDs and passwords. Multiple vulnerabilities in the Usermin package can lead to breaches of confidentiality, integrity, and availability of protected information, and these can be exploited remotely. **Recommendations** For Webmin version 1.140, update to a version that addresses the account lockout functionality issue. For Usermin versions prior to 1.070-r1, update to version 1.070-r1 or later to resolve the multiple vulnerabilities. As a temporary workaround, consider restricting access to the account lockout functionality until a patch is available.