Zhao Liang

**Name of the Vulnerable Software and Affected Versions** GNU libcdio versions prior to 1.0.0 **Description** The issue is related to a heap-based buffer over-read in the `print iso9660 recurse` function in `iso-info.c`. This could allow remote attackers to cause a denial of service or possibly have other unspecified impacts via a crafted iso file. The vulnerability is associated with reading data beyond the buffer boundaries in memory, which can be exploited by a remote attacker to disrupt service or have other effects. **Recommendations** For GNU libcdio versions prior to 1.0.0, update to version 1.0.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of crafted iso files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GNU libcdio versions prior to 1.0.0 **Description** The issue is related to the `realloc symlink` function in `rock.c` and is associated with pointer dereference errors. It can be exploited by remote attackers to cause a denial of service. **Recommendations** For GNU libcdio versions prior to 1.0.0, update to version 1.0.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of crafted iso files to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: libjpeg-turbo version 1.5.2 Description: The issue is related to a NULL Pointer Dereference in the `jdpostct.c` and `jquant1.c` components of the libjpeg-turbo library. This can be triggered by a crafted JPEG file, potentially allowing a remote attacker to cause a denial of service. Recommendations: For libjpeg-turbo version 1.5.2, consider avoiding the use of the `jdpostct.c` and `jquant1.c` components until a patch is available. As a temporary workaround, restrict the processing of specially crafted JPEG files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Atmail Webmail Server versions prior to 7.2 **Description** The issue allows remote attackers to hijack the authentication of administrators for various requests, including adding, modifying, or deleting user accounts, as well as stopping the product's service. This is due to multiple cross-site request forgery (CSRF) vulnerabilities. **Recommendations** For versions prior to 7.2, update to version 7.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Axigen Free Mail Server (affected versions not specified) **Description** The issue concerns multiple directory traversal vulnerabilities in the View Log Files component. These vulnerabilities allow remote attackers to read or delete arbitrary files by exploiting the `fileName` parameter in various actions, including download, edit, and delete actions, to the `/source/loggin/page log dwn file.hsp` endpoint and the default URI. This is achieved by using a `..` (dot dot) in the `fileName` parameter. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.