Vincent Malguy

**Name of the Vulnerable Software and Affected Versions** nagios version 4.2.x **Description** A privilege escalation issue was found in the daemon-init.in component when creating necessary files and changing ownership. This allows a local attacker to create symbolic links before file creation, potentially escalating privileges with the ownership change. **Recommendations** For nagios version 4.2.x, consider restricting access to the daemon-init.in component until a patch is available. As a temporary workaround, avoid using the daemon-init.in functionality that involves creating files and changing ownership to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TeamPass versions 2.1.24 and earlier **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the `label` value of an item or the `name` of a role. This can lead to cross-site scripting (XSS) attacks. **Recommendations** For TeamPass versions 2.1.24 and earlier, update to a version later than 2.1.24 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** TeamPass versions 2.1.24 and earlier **Description** A cross-site request forgery issue allows remote attackers to hijack the authentication of an authenticated user. **Recommendations** For TeamPass versions 2.1.24 and earlier, update to a version later than 2.1.24 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** TeamPass versions 2.1.24 and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the `id` parameter in an `action on quick icon` action to "item.query.php", or the `order` or `direction` parameter in a "(a) connections logs, (b) errors logs or (c) access logs" action to "view.query.php". **Recommendations** For TeamPass versions 2.1.24 and earlier, consider restricting access to the "item.query.php" and "view.query.php" files until a patch is available. As a temporary workaround, avoid using the `id`, `order`, and `direction` parameters in the affected API endpoints. At the moment, there is no information about a newer version that contains a fix for this issue.