Alex Vandiver

**Name of the Vulnerable Software and Affected Versions** Apache CouchDB versions prior to 3.2.2 **Description** The issue concerns an improperly secured default installation of Apache CouchDB, allowing an attacker to access the system without authentication and gain admin privileges. The CouchDB documentation recommends properly securing an installation, including using a firewall in front of all CouchDB installations. It is estimated that a significant number of installations may be vulnerable, with reports suggesting around 80,000 results from a ZoomEye query and over 1,500 results from a Shodan search. **Recommendations** For Apache CouchDB versions prior to 3.2.2, update to version 3.2.2 or later to resolve the issue. As a temporary workaround, consider using a firewall in front of the CouchDB installation to restrict access and minimize the risk of exploitation. Additionally, follow the recommendations in the CouchDB documentation for properly securing an installation.

**Name of the Vulnerable Software and Affected Versions** Jifty::DBI versions prior to 0.68 **Description** The issue is related to a SQL injection vulnerability. **Recommendations** For versions prior to 0.68, update to version 0.68 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Email::Address::List versions prior to 0.02 RT versions 4.2.0 through 4.2.2 **Description** The issue allows remote attackers to cause a denial of service, specifically CPU consumption, by providing a string without an address. This is related to an algorithmic complexity vulnerability. **Recommendations** For Email::Address::List versions prior to 0.02, update to version 0.02 or later. For RT versions 4.2.0 through 4.2.2, update to a version outside of this range or apply a patch that fixes the algorithmic complexity vulnerability in Email::Address::List.

**Name of the Vulnerable Software and Affected Versions** Request Tracker versions 4.0.0 through 4.0.12 RT-Extension-MobileUI extension version prior to 1.04 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the name of an attached file. **Recommendations** For Request Tracker versions 4.0.0 through 4.0.12, update the RT-Extension-MobileUI extension to version 1.04 or later. For RT-Extension-MobileUI extension version prior to 1.04, update to version 1.04 or later.

**Name of the Vulnerable Software and Affected Versions** Best Practical Solutions RT RTFM extension versions 2.0.4 through 2.4.3 rtfm package (affected versions not specified) **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities in the topic administration page of the RTFM extension, allowing remote attackers to inject arbitrary web script or HTML. This could lead to a breach of protected information integrity. The exploitation of these vulnerabilities can be done remotely. **Recommendations** For RTFM extension versions 2.0.4 through 2.4.3, consider disabling access to the topic administration page until a patch is available. As a temporary workaround, restrict the use of the RTFM extension to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Authen::ExternalAuth extension versions prior to 0.11 **Description** The issue allows remote attackers to obtain a logged-in session via unspecified vectors related to the "URL of a RSS feed of the user." **Recommendations** For versions prior to 0.11, update to version 0.11 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Best Practical Solutions RT versions 3.8.x through 4.0.5 Extension::MobileUI extension version 1.01 and earlier **Description** The issue allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, due to multiple cross-site scripting (XSS) vulnerabilities in the topic administration page. **Recommendations** For Best Practical Solutions RT versions 3.8.x through 4.0.5, update to version 4.0.6 or later. For Extension::MobileUI extension version 1.01 and earlier, update to version 1.02 or later.