Nicolas Grégoire

**Nome do software vulnerável e versões afetadas: Versões do PyAMF anteriores à 0.8.0 Descrição: A vulnerabilidade permite que invasores remotos provoquem uma negação de serviço ou leiam arquivos arbitrários por meio de uma carga maliciosa no formato Action Message Format (AMF). Isso se deve a uma vulnerabilidade de entidade externa XML (XXE). O PyAMF oferece suporte ao Action Message Format (AMF) para Python, compatível com o Adobe Flash Player, e inclui integração com várias estruturas web do Python. Recomendações: Para versões anteriores à 0.8.0, atualize para a versão 0.8.0 ou posterior para resolver o problema. Como solução temporária, considere restringir o acesso à funcionalidade de processamento de carga útil AMF até que um patch seja aplicado.

**Name of the Vulnerable Software and Affected Versions** Revive Adserver versions prior to 4.0.1 **Description** The issue concerns a session fixation vulnerability in the forgot password mechanism. This allows remote attackers to hijack web sessions via the session ID when a user sets a new password. **Recommendations** For versions prior to 4.0.1, update to version 4.0.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 53 Firefox ESR versions prior to 52.1 Firefox ESR versions prior to 45.9 Thunderbird versions prior to 52.1 **Description** A use-after-free issue occurs during XSLT processing, potentially leading to a crash. This is due to the result handler being held by a freed handler. The vulnerability can be exploited by a remote attacker to cause a denial of service. **Recommendations** For Firefox versions prior to 53, update to version 53 or later. For Firefox ESR versions prior to 52.1, update to version 52.1 or later. For Firefox ESR versions prior to 45.9, update to version 45.9 or later. For Thunderbird versions prior to 52.1, update to version 52.1 or later.

**Name of the Vulnerable Software and Affected Versions** Thunderbird versions prior to 52.1 Firefox ESR versions prior to 52.1 Firefox ESR versions prior to 45.9 Firefox versions prior to 53 **Description** A use-after-free issue occurs during XSLT processing due to poor handling of template parameters, resulting in a potentially exploitable crash. The vulnerability is related to the `nsTArray Length()` function and is associated with the use of memory after it has been freed when processing XSLT documents. This could allow a remote attacker to cause a denial of service. **Recommendations** For Thunderbird versions prior to 52.1, update to version 52.1 or later. For Firefox ESR versions prior to 52.1, update to version 52.1 or later. For Firefox ESR versions prior to 45.9, update to version 45.9 or later. For Firefox versions prior to 53, update to version 53 or later.

**Name of the Vulnerable Software and Affected Versions** Thunderbird versions prior to 52.1 Firefox ESR versions prior to 52.1 Firefox ESR versions prior to 45.9 Firefox versions prior to 53 **Description** A use-after-free issue occurs during XSLT processing due to a failure to propagate error conditions, leading to objects being used after they no longer exist, resulting in a potentially exploitable crash. The vulnerability is related to the `txExecutionState` function and is associated with the use of memory after it has been freed during the processing of XSLT documents. This can allow a remote attacker to cause a denial of service. **Recommendations** For Thunderbird versions prior to 52.1, update to version 52.1 or later. For Firefox ESR versions prior to 52.1, update to version 52.1 or later. For Firefox ESR versions prior to 45.9, update to version 45.9 or later. For Firefox versions prior to 53, update to version 53 or later.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 51 Firefox ESR versions prior to 45.7 Thunderbird versions prior to 45.7 **Description** The issue is related to a use-after-free error that occurs when manipulating XSL in XSLT documents. **Recommendations** For Firefox versions prior to 51, update to version 51 or later. For Firefox ESR versions prior to 45.7, update to version 45.7 or later. For Thunderbird versions prior to 45.7, update to version 45.7 or later.

**Name of the Vulnerable Software and Affected Versions** The product name cannot be determined. **Description** A remote issue in libxslt for Apple products allows attackers to cause a denial of service or have other impacts on the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libxslt versions prior to 1.1.29 Google Chrome versions prior to 51.0.2704.63 **Description** The issue is related to errors in namespace handling in the libxslt library, specifically in the numbers.c file. This can be exploited by a remote attacker using a specially crafted document, potentially leading to a denial of service or other unspecified impacts due to out-of-bounds heap memory access. **Recommendations** For libxslt versions prior to 1.1.29, update to version 1.1.29 or later to resolve the issue. For Google Chrome versions prior to 51.0.2704.63, update to version 51.0.2704.63 or later to resolve the issue. As a temporary workaround, consider restricting the use of specially crafted documents to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** libxslt versions prior to 1.1.29 Google Chrome versions prior to 51.0.2704.63 **Description** The issue is related to the mishandling of the i format token for xsl:number data in the numbers.c file of libxslt. This can be exploited by remote attackers to cause a denial of service, such as integer overflow or resource consumption, or possibly have other unspecified impacts via a crafted document. **Recommendations** For libxslt versions prior to 1.1.29, update to version 1.1.29 or later to resolve the issue. For Google Chrome versions prior to 51.0.2704.63, update to version 51.0.2704.63 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 45.0 Firefox ESR versions prior to 38.7 **Description** The issue is related to a use-after-free vulnerability in the AtomicBaseIncDec function. This vulnerability can be exploited by remote attackers to execute arbitrary code or cause a denial of service due to heap memory corruption. The exploitation is possible by leveraging the mishandling of XML transformations. **Recommendations** For Mozilla Firefox versions prior to 45.0, update to version 45.0 or later. For Firefox ESR versions prior to 38.7, update to version 38.7 or later.

**Name of the Vulnerable Software and Affected Versions** Zend Framework 1.x versions 1.11.13 and earlier Zend Framework 1.x versions 1.12.x before 1.12.0 **Description** The issue arises from the improper handling of SimpleXMLElement classes by Zend Dom, Zend Feed, and Zend Soap components in Zend Framework. This allows remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request. This is known as an XML external entity (XXE) injection attack. **Recommendations** For versions prior to 1.11.13, update to version 1.11.13 or later to resolve the issue. For versions 1.12.x prior to 1.12.0, update to version 1.12.0 or later to resolve the issue. As a temporary workaround, consider disabling the XML-RPC request handling in the affected components until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Inkscape versions prior to 0.48.4 **Description** The issue concerns an XML external entity (XXE) injection attack in the rasterization process. This allows local users to read arbitrary files via an external entity in a SVG file. **Recommendations** For versions prior to 0.48.4, update to version 0.48.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 15.0 Firefox ESR 10.x versions prior to 10.0.7 Thunderbird versions prior to 15.0 Thunderbird ESR 10.x versions prior to 10.0.7 SeaMonkey versions prior to 2.12 **Description** The issue allows remote attackers to obtain sensitive information via unspecified vectors that trigger a heap-based buffer over-read in the format-number functionality in the XSLT implementation. **Recommendations** For Mozilla Firefox versions prior to 15.0, update to version 15.0 or later. For Firefox ESR 10.x versions prior to 10.0.7, update to version 10.0.7 or later. For Thunderbird versions prior to 15.0, update to version 15.0 or later. For Thunderbird ESR 10.x versions prior to 10.0.7, update to version 10.0.7 or later. For SeaMonkey versions prior to 2.12, update to version 2.12 or later.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 3.6.26 and 4.x through 9.0 Thunderbird versions prior to 3.1.18 and 5.0 through 9.0 SeaMonkey versions prior to 2.7 **Description** The issue allows remote attackers to cause a denial of service, resulting in memory corruption and application crash, or possibly execute arbitrary code. This is achieved via a malformed XSLT stylesheet embedded in a document. **Recommendations** For Mozilla Firefox versions prior to 3.6.26 and 4.x through 9.0, update to a version outside of the affected range to resolve the issue. For Thunderbird versions prior to 3.1.18 and 5.0 through 9.0, update to a version outside of the affected range to resolve the issue. For SeaMonkey versions prior to 2.7, update to a version outside of the affected range to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Microsoft Office Groove 2007 SP2 SharePoint Workspace 2010 Gold and SP1 Office Forms Server 2007 SP2 Office SharePoint Server 2007 SP2 Office SharePoint Server 2010 Gold and SP1 Office Groove Data Bridge Server 2007 SP2 Office Groove Management Server 2007 SP2 Groove Server 2010 Gold and SP1 Windows SharePoint Services 3.0 SP2 SharePoint Foundation 2010 Office Web Apps 2010 Gold and SP1 **Description** The issue allows remote authenticated users to read arbitrary files via a crafted XML and XSL file. A file disclosure vulnerability exists in Microsoft Office SharePoint that could allow a malicious authenticated user to use a specially crafted XML file to gain read-only access to a local file on the SharePoint server under the security context of the account running SharePoint. **Recommendations** For Microsoft Office Groove 2007 SP2, consider disabling the Web Parts containing XML classes referencing external entities until a patch is available. For SharePoint Workspace 2010 Gold and SP1, restrict access to the XML file upload feature to minimize the risk of exploitation. For Office Forms Server 2007 SP2, avoid using the XML and XSL file combination in the Web Parts until the issue is resolved. For Office SharePoint Server 2007 SP2, apply configuration changes to limit the access to local files on the SharePoint server. For Office SharePoint Server 2010 Gold and SP1, restrict the security context of the account running SharePoint to prevent read-only access to local files. For Office Groove Data Bridge Server 2007 SP2, consider disabling the Web Parts feature until a patch is available. For Office Groove Management Server 2007 SP2, restrict access to the XML file upload feature to minimize the risk of exploitation. For Groove Server 2010 Gold and SP1, avoid using the XML and XSL file combination in the Web Parts until the issue is resolved. For Windows SharePoint Services 3.0 SP2, apply configuration changes to limit the access to local files on the SharePoint server. For SharePoint Foundation 2010, restrict the security context of the account running SharePoint to prevent read-only access to local files. For Office Web Apps 2010 Gold and SP1, consider disabling the Web Parts containing XML classes referencing external entities until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal Community Edition (CE) versions 6.0.0 through 6.0.5 **Description** The issue allows remote authenticated users to read arbitrary files via an entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, when Apache Tomcat is used. **Recommendations** For versions 6.0.0 through 6.0.5, update to version 6.0.6 GA or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal Community Edition (CE) versions prior to 6.0.6 GA **Description** A cross-site scripting (XSS) issue allows remote authenticated users to inject arbitrary web script or HTML via a message title when Apache Tomcat is used. **Recommendations** For versions prior to 6.0.6 GA, update to version 6.0.6 GA or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal Community Edition versions 5.x through 6.0.5 **Description** A cross-site scripting issue allows remote authenticated users to inject arbitrary web script or HTML via a blog title. **Recommendations** For versions 5.x through 6.0.5, update to version 6.0.6 GA or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal Community Edition (CE) versions 5.x through 6.0.5 GA **Description** The issue allows remote authenticated users to read arbitrary XSL and XML files. This is possible due to a flaw in the XSL Content portlet when used with Apache Tomcat or Oracle GlassFish. **Recommendations** For versions 5.x through 6.0.5 GA, consider restricting access to the XSL Content portlet until a fix is applied, and update to version 6.0.6 GA or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** xmlsec1 versions prior to 1.2.17 xmlsec1-openssl versions 1.2.6 through 1.2.9 xmlsec1-openssl-devel versions 1.2.6 through 1.2.9 xmlsec1-gnutls versions 1.2.9 xmlsec1-gnutls-devel versions 1.2.9 xmlsec1-nss versions 1.2.9 xmlsec1-nss-devel versions 1.2.9 xmlsec1-devel versions 1.2.6 through 1.2.9 **Description** The issue may lead to a breach of confidentiality, integrity, and availability of protected information. It can be exploited remotely. The vulnerability is related to the XSLT feature in the XML Security Library, which allows remote attackers to create or overwrite arbitrary files via vectors involving the libxslt output extension and a ds:Transform element during signature verification. **Recommendations** For xmlsec1 versions prior to 1.2.17, update to version 1.2.17 or later. For xmlsec1-openssl versions 1.2.6 through 1.2.9, update to version 1.2.17 or later. For xmlsec1-openssl-devel versions 1.2.6 through 1.2.9, update to version 1.2.17 or later. For xmlsec1-gnutls versions 1.2.9, update to version 1.2.17 or later. For xmlsec1-gnutls-devel versions 1.2.9, update to version 1.2.17 or later. For xmlsec1-nss versions 1.2.9, update to version 1.2.17 or later. For xmlsec1-nss-devel versions 1.2.9, update to version 1.2.17 or later. For xmlsec1-devel versions 1.2.6 through 1.2.9, update to version 1.2.17 or later. As a temporary workaround, consider disabling the XSLT feature until a patch is available.