Paul Laudanski

**Name of the Vulnerable Software and Affected Versions** Drupal versions 4.5.0 through 4.5.5 Drupal versions 4.6.0 through 4.6.3 **Description** The issue is related to an interpretation conflict in the file.inc file, allowing remote authenticated users to inject arbitrary web script or HTML via HTML in a file with a GIF or JPEG file extension. This causes the HTML to be executed by a victim who views the file in Internet Explorer. **Recommendations** For versions 4.5.0 through 4.5.5, update to a version outside of this range to mitigate the risk. For versions 4.6.0 through 4.6.3, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to files with GIF or JPEG extensions to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: phpBB Attachment module versions 2.3.10 and earlier Description: The issue allows remote attackers to read arbitrary files via a .. (dot dot) in the filename, due to a directory traversal vulnerability in the Attachment module. Recommendations: For versions 2.3.10 and earlier, update to a version later than 2.3.10 to resolve the issue.