Nico Leidecker

**Nome do software vulnerável e versões afetadas** Versões do MobileIron VSP anteriores à 5.9.1 Versões do MobileIron Sentry anteriores à 5.0 **Descrição** O problema está relacionado a um esquema de criptografia inseguro. **Recomendações** Para versões do MobileIron VSP anteriores à 5.9.1, atualize para a versão 5.9.1 ou posterior. Para versões do MobileIron Sentry anteriores à 5.0, atualize para a versão 5.0 ou posterior.

**Nome do software vulnerável e versões afetadas** Versões do MobileIron VSP anteriores à 5.9.1 Versões do MobileIron Sentry anteriores à 5.0 **Descrição** O problema está relacionado a um algoritmo fraco de ofuscação de senhas. **Recomendações** Para versões do MobileIron VSP anteriores à 5.9.1, atualize para a versão 5.9.1 ou posterior. Para versões do MobileIron Sentry anteriores à 5.0, atualize para a versão 5.0 ou posterior.

Name of the Vulnerable Software and Affected Versions: OCS Inventory NG version 1.02 for Unix Description: The issue allows remote attackers to execute arbitrary SQL commands. This is achieved through SQL injection vulnerabilities in the download.php and group show.php scripts. The vulnerable parameters are `N`, `DL`, `O`, `V` in download.php and `SYSTEMID` in group show.php. Recommendations: For OCS Inventory NG version 1.02 for Unix, as a temporary workaround, consider restricting access to the download.php and group show.php scripts until a patch is available. Avoid using the parameters `N`, `DL`, `O`, `V` in the download.php script and the `SYSTEMID` parameter in the group show.php script to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OCS Inventory NG versions prior to 1.02.1 **Description** The issue allows remote attackers to read arbitrary files via a full pathname in the `log` parameter. This is due to an absolute path traversal vulnerability in the cvs.php file on Unix systems. **Recommendations** For versions prior to 1.02.1, update to version 1.02.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the cvs.php file to minimize the risk of exploitation. Avoid using the `log` parameter with full pathnames in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** SurgeFTP version 2.3a1 **Description** The issue allows remote FTP servers to cause a denial of service, resulting in a restart, by sending a malformed response to a PASV command. This can be triggered with user assistance. **Recommendations** For SurgeFTP version 2.3a1, consider restricting access to the PASV command until a patch is available to prevent potential denial of service attacks.

Name of the Vulnerable Software and Affected Versions: Elxis CMS versions prior to 2006.4 20070613 Description: The issue allows remote attackers to execute arbitrary SQL commands via the `mb tracker` cookie in the `mod banners.php` file. This can lead to unauthorized access and manipulation of database content. The product was patched without updating the version number, so later downloads of version 2006.4 are not affected. Recommendations: For versions prior to 2006.4 20070613, as a temporary workaround, consider restricting access to the `mod banners.php` file until a patched version can be downloaded. Avoid using the `mb tracker` cookie in the affected module to minimize the risk of exploitation.