Stefan Bühler

**Nome do Software Vulnerável e Versões Afetadas** Alinto SOPE SOGo versões 2.0.2 até 5.12.2 **Descrição** Este problema envolve uma desreferência de ponteiro nulo em `sope-core/NGExtensions/NGHashMap.m` que pode levar a uma queda da aplicação SOGo. A vulnerabilidade ocorre quando uma solicitação contém um parâmetro na string de consulta que duplica um parâmetro no corpo POST. Aproximadamente 30.000 instalações do SOGo são rastreadas no espaço da internet russa, com uma estimativa de 98% sendo vulneráveis. Embora a exploração em massa não tenha sido observada, a vulnerabilidade permite ataques de negação de serviço remotos e não autenticados. **Recomendações** Atualize o SOGo para a versão 5.12.3 ou posterior para resolver este problema. Reinicie o serviço para redefinir as sessões ativas.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 28 **Description** The issue allows remote attackers to conduct a persistent Logout CSRF attack by sending HTTP Cookie headers without proper validation of required character-set restrictions. This can be achieved via a crafted parameter that forces a web application to set a malformed cookie within an HTTP response. **Recommendations** For Mozilla Firefox versions prior to 28, update to version 28 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** lighttpd versions prior to 1.4.33 **Description** The issue is related to the failure of lighttpd to check the return value of certain functions, specifically `setuid`, `setgid`, and `setgroups`. This oversight might cause lighttpd to run as root if it is restarted, potentially allowing remote attackers to gain privileges. This can be demonstrated through multiple calls to the `clone` function, which can cause `setuid` to fail when the user process limit is reached. **Recommendations** For versions prior to 1.4.33, update to version 1.4.33 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive resources and monitoring system logs for potential exploitation attempts.

**Name of the Vulnerable Software and Affected Versions** lighttpd versions prior to 1.4.33 **Description** The issue is related to a use-after-free vulnerability that allows remote attackers to cause a denial of service, resulting in a segmentation fault and crash. This is triggered by unspecified vectors that cause FAMMonitorDirectory failures. **Recommendations** For versions prior to 1.4.33, update to version 1.4.33 or later to resolve the issue. As a temporary workaround, consider restricting access to the FAMMonitorDirectory function until a patch is available.