Mike

**Nome do software vulnerável e versões afetadas** Plugin ZD YouTube FLV Player para WordPress, versões até a 1.2.6, inclusive **Descrição** A vulnerabilidade permite que invasores não autenticados realizem solicitações web para locais arbitrários a partir da aplicação web, o que pode ser usado para consultar e modificar informações de serviços internos. Isso é feito por meio do parâmetro `$ GET[‘image’]`. **Recomendações** Para versões até a 1.2.6, inclusive, atualize o plugin ZD YouTube FLV Player para WordPress para uma versão que não seja afetada por esta vulnerabilidade. Como solução temporária, considere restringir o acesso ao parâmetro `$ GET[‘image’]` para minimizar o risco de exploração.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions 4.x through 10.0 Firefox ESR versions 10.x before 10.0.3 Thunderbird versions 5.0 through 10.0 Thunderbird ESR versions 10.x before 10.0.3 SeaMonkey version 2.8 and earlier **Description** A CRLF injection issue allows remote web servers to bypass intended Content Security Policy (CSP) restrictions and possibly conduct cross-site scripting (XSS) attacks via crafted HTTP headers. **Recommendations** For Mozilla Firefox versions 4.x through 10.0, update to version 10.0.3 or later. For Firefox ESR versions 10.x before 10.0.3, update to version 10.0.3 or later. For Thunderbird versions 5.0 through 10.0, update to version 10.0.3 or later. For Thunderbird ESR versions 10.x before 10.0.3, update to version 10.0.3 or later. For SeaMonkey version 2.8 and earlier, update to version 2.8 or later.

**Name of the Vulnerable Software and Affected Versions** Bugzilla versions 3.2.x through 3.2.9 Bugzilla versions 3.4.x through 3.4.9 Bugzilla versions 3.6.x through 3.6.3 Bugzilla versions 4.0.x through 4.0rc1 **Description** The issue allows remote attackers to conduct cross-site scripting (XSS) attacks against logged-out users via a crafted URI, specifically by creating a clickable link for a `javascript:` or `data:` URI in the URL field. **Recommendations** For Bugzilla versions 3.2.x through 3.2.9, update to version 3.2.10 or later. For Bugzilla versions 3.4.x through 3.4.9, update to version 3.4.10 or later. For Bugzilla versions 3.6.x through 3.6.3, update to version 3.6.4 or later. For Bugzilla versions 4.0.x through 4.0rc1, update to version 4.0rc2 or later.

**Name of the Vulnerable Software and Affected Versions** tcpdump versions 3.8.1 and earlier **Description** The issue allows remote attackers to cause a denial of service, resulting in an infinite loop and memory consumption. This occurs when a packet with invalid data is sent to UDP port 1701, causing the `l2tp avp print` function to use a bad length value when calling `print octets`. **Recommendations** For versions 3.8.1 and earlier, update to a version later than 3.8.1 to resolve the issue.