Laurent Gaffié

**Name of the Vulnerable Software and Affected Versions** Microsoft Windows Vista SP2 Microsoft Windows Server 2008 SP2 and R2 SP1 Microsoft Windows 7 SP1 Microsoft Windows 8.1 Microsoft Windows Server 2012 Gold and R2 Microsoft Windows RT 8.1 Microsoft Windows 10 versions Gold through 1607 Microsoft Windows Server 2016 **Description** The issue is related to insufficient access control in the Local Security Authority Subsystem Service (LSASS) of the Windows operating system. It allows remote authenticated users to cause a denial of service, resulting in a system hang, via a crafted request. This can be exploited by an attacker to affect the system. **Recommendations** For Microsoft Windows Vista SP2, apply the relevant security update to resolve the issue. For Microsoft Windows Server 2008 SP2 and R2 SP1, apply the relevant security update to resolve the issue. For Microsoft Windows 7 SP1, apply the relevant security update to resolve the issue. For Microsoft Windows 8.1, apply the relevant security update to resolve the issue. For Microsoft Windows Server 2012 Gold and R2, apply the relevant security update to resolve the issue. For Microsoft Windows RT 8.1, apply the relevant security update to resolve the issue. For Microsoft Windows 10 versions Gold through 1607, apply the relevant security update to resolve the issue. For Microsoft Windows Server 2016, apply the relevant security update to resolve the issue. As a temporary workaround, consider restricting access to the LSASS service until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Novell Netware versions 6.5 SP8 and earlier **Description** The issue is related to a stack-based buffer overflow in the CIFS.NLM driver. This occurs when processing a Sessions Setup AndX packet that contains a long `AccountName`. The overflow can be exploited by remote attackers to execute arbitrary code. **Recommendations** For Novell Netware versions 6.5 SP8 and earlier, consider applying security patches or updates that address the stack-based buffer overflow in the CIFS.NLM driver. As a temporary workaround, restrict access to the CIFS.NLM driver to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Microsoft Windows Server 2008 R2 Microsoft Windows 7 **Description** A denial of service issue exists in the Microsoft Server Message Block (SMB) client implementation, allowing remote SMB servers and man-in-the-middle attackers to cause a system hang via a specially crafted SMB response packet. This can be achieved by sending an SMBv1 or SMBv2 response packet with an incorrect length value in a NetBIOS header or an additional length field at the end of the response packet. An attempt to exploit this issue does not require authentication, and a successful exploitation could cause the computer to stop responding until restarted. **Recommendations** For Microsoft Windows Server 2008 R2, apply the necessary patch to fix the SMB client implementation. For Microsoft Windows 7, apply the necessary patch to fix the SMB client implementation. As a temporary workaround, consider restricting access to SMB services until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Snort versions prior to 2.8.5.1 **Description** The issue allows remote attackers to cause a denial of service, resulting in an application crash, by sending a crafted IPv6 packet using either the TCP or ICMP protocol when the -v option is enabled. **Recommendations** For versions prior to 2.8.5.1, update to version 2.8.5.1 or later to resolve the issue. As a temporary workaround, consider disabling the -v option to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Microsoft Windows versions prior to a fixed version **Description** The issue is related to an array index error in the SMBv2 protocol implementation, allowing remote attackers to execute arbitrary code or cause a denial of service via a specially crafted NEGOTIATE PROTOCOL REQUEST packet. This can be achieved by including an & (ampersand) character in a Process ID High header field, which triggers an attempted dereference of an out-of-bounds memory location. The vulnerability can also be exploited by sending specially crafted SMB packets to a computer running the Server service, potentially allowing an attacker to take complete control of the system. **Recommendations** For Microsoft Windows versions prior to a fixed version, apply the necessary patches or updates to resolve the issue. As a temporary workaround, consider restricting access to the SMBv2 protocol to minimize the risk of exploitation. Avoid using the `Process ID High` header field in the NEGOTIATE PROTOCOL REQUEST packet until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Koan Software Mega Mall (affected versions not specified) **Description** The issue concerns SQL injection vulnerabilities that allow remote attackers to execute arbitrary SQL commands. This can be achieved by manipulating specific parameters in certain PHP files. The vulnerable parameters include `t`, `productId`, `sk`, `x`, and `so` in the "product review.php" file, and the `orderNo` parameter in the "order-track.php" file. **Recommendations** For Koan Software Mega Mall, consider temporarily restricting access to the "product review.php" and "order-track.php" files until a patch is available. Avoid using the parameters `t`, `productId`, `sk`, `x`, `so`, and `orderNo` in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Koan Software Mega Mall (affected versions not specified) **Description** The issue allows remote attackers to obtain the installation path via a request with an empty value of the `x[]` parameter in the product review.php file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: PhpMyAdmin versions prior to 2.9.1.1 Description: The issue allows remote attackers to obtain the full server path. This can be achieved through direct requests to certain scripts, such as scripts/check lang.php and themes/darkblue orange/layout.inc.php. Additionally, the issue can be exploited via specific array arguments to index.php, including `lang[]`, `target[]`, `db[]`, `goto[]`, `table[]`, and `tbl group[]`. Other vulnerable parameters include the `back[]` argument to sql.php, an invalid `sort by` parameter to server databases.php, and the `db` parameter to db printview.php. Recommendations: For versions prior to 2.9.1.1, update to version 2.9.1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable scripts and parameters, such as scripts/check lang.php, themes/darkblue orange/layout.inc.php, and the specified array arguments to index.php, until a patch is applied. Avoid using the vulnerable parameters, including `lang[]`, `target[]`, `db[]`, `goto[]`, `table[]`, `tbl group[]`, `back[]`, `sort by`, and `db`, in the affected API endpoints until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: PhpMyAdmin versions prior to 2.9.1.1 Description: The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary HTML or web script via several parameters and files, including: - a comment for a table name, - the `db` parameter to "db create.php", - the `newname` parameter to "db operations.php", - the `query history latest`, `query history latest db`, and `querydisplay tab` parameters to "querywindow.php", - the `pos` parameter to "sql.php". No information is provided about the estimated number of potentially affected devices or real-world incidents. Recommendations: For versions prior to 2.9.1.1, update to version 2.9.1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoints, such as "db operations.php", "db create.php", "querywindow.php", and "sql.php", until a patch is applied. Avoid using the vulnerable parameters, such as `db`, `newname`, `query history latest`, `query history latest db`, `querydisplay tab`, and `pos`, in the affected files until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** CandyPress Store version 3.5.2.14 **Description** The issue concerns SQL injection vulnerabilities that allow remote attackers to execute arbitrary SQL commands. This can be achieved via the `policy` parameter in "openPolicy.asp" or the `brand` parameter in "prodList.asp". **Recommendations** For CandyPress Store version 3.5.2.14, consider restricting access to the vulnerable API endpoints "openPolicy.asp" and "prodList.asp" to minimize the risk of exploitation. Avoid using the `policy` and `brand` parameters in these endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** BlogMe version 3.0 **Description** The issue concerns SQL injection vulnerabilities in the admin login.asp file. Remote attackers can execute arbitrary SQL commands by manipulating the `Username` or `Password` fields. **Recommendations** For BlogMe version 3.0, consider restricting access to the admin login.asp file until a patch is available. As a temporary workaround, avoid using the `Username` and `Password` fields in the admin login.asp file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BlogMe version 3.0 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities in the comments.asp file. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via the `Name`, `URL`, or `Comments` field. **Recommendations** For BlogMe version 3.0, consider disabling the comments.asp file or restricting input to the `Name`, `URL`, and `Comments` fields until a patch is available. Avoid using these fields in the affected comments.asp file until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Hpecs Shopping Cart (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the `username` and `password` fields in the login screen, as well as the `searchstring` parameter in the "insearch list.asp" endpoint. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Speedywiki version 2.0 **Description** The issue allows remote authenticated users to upload and execute arbitrary PHP code. This is achieved by setting the `upload` parameter to 1 in the index.php file. **Recommendations** For Speedywiki version 2.0, consider restricting access to the index.php file to prevent unauthorized uploads until a patch is available. As a temporary workaround, disable the file upload functionality in index.php to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Speedywiki version 2.0 **Description** The issue allows remote attackers to obtain the full path of the web server. This can be achieved via the `showRevisions[]` and `searchText[]` parameters in "index.php", and also through a direct request to "upload.php" without any parameters. **Recommendations** For Speedywiki version 2.0, consider restricting access to the `showRevisions[]` and `searchText[]` parameters in "index.php" and limit direct requests to "upload.php" to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Abarcar Realty Portal (affected versions not specified) Description: The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the `neid` parameter to "newsdetails.php" or the `slid` parameter to "slistl.php". However, it's noted that "slistl.php/slid" never existed in any version of the software. The vendor has also stated that the current version only creates static pages. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Speedywiki version 2.0 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML. This is achieved via the `showRevisions` parameter in the "index.php" file. **Recommendations** For Speedywiki version 2.0, consider restricting access to the `showRevisions` parameter in the "index.php" file until a patch is available. As a temporary workaround, avoid using the `showRevisions` parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FreeWebshop versions 2.2.2 and earlier **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `cat` parameter in the "index.php" file. **Recommendations** For FreeWebshop versions 2.2.2 and earlier, update to a version later than 2.2.2 to resolve the issue. As a temporary workaround, consider restricting access to the `cat` parameter in the "index.php" file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** FreeWebshop versions 2.2.2 and earlier **Description** A directory traversal issue exists, allowing remote attackers to read and include arbitrary files. This is achieved by using a .. (dot dot) in the `page` parameter of the index.php file. **Recommendations** For FreeWebshop versions 2.2.2 and earlier, consider restricting access to the index.php file until a fix is available. As a temporary workaround, avoid using the `page` parameter in the index.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.