Robert Fly

**Name of the Vulnerable Software and Affected Versions** Musicmatch Jukebox versions 10.00.2047 and earlier **Description** The issue allows local users to gain privileges through a malicious file. This occurs when MMFWLaunch.exe attempts to execute launch.exe and instead runs a malicious C:program.exe file. **Recommendations** For Musicmatch Jukebox versions 10.00.2047 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Musicmatch Jukebox versions 10.00.2047 and earlier **Description** The issue allows systems in the musicmatch.com domain to conduct unauthorized activities due to the addition of the musicmatch.com domain to the Trusted Sites zone in Internet Explorer. This can be exploited using cross-site scripting (XSS) attacks. **Recommendations** For Musicmatch Jukebox versions 10.00.2047 and earlier, consider removing the musicmatch.com domain from the Trusted Sites zone in Internet Explorer as a temporary workaround to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Musicmatch versions 10.00.2047 and earlier **Description** The issue allows local users to potentially obtain sensitive information because log files are stored in the Program Files directory instead of the user profile. **Recommendations** For Musicmatch versions 10.00.2047 and earlier, consider changing the log file storage location to the user profile directory to minimize the risk of sensitive information disclosure.

**Name of the Vulnerable Software and Affected Versions** Musicmatch versions 10.00.2047 and earlier **Description** The issue allows remote attackers to overwrite arbitrary files. This is achieved via the `bstrSavePath` argument in the DiagCollectionControl.dll component. **Recommendations** For Musicmatch versions 10.00.2047 and earlier, consider restricting access to the DiagCollectionControl.dll component until a patch is available. As a temporary workaround, avoid using the `bstrSavePath` argument in sensitive operations to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Horde version 3.0 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. Specifically, the vulnerabilities can be exploited via the `group` parameter to "prefs.php" or the `url` parameter to "index.php". **Recommendations** For Horde version 3.0, update to a version that contains a fix for this issue to prevent exploitation.