Andrew Krasichkov

**Name of the Vulnerable Software and Affected Versions** ONLYOFFICE Document Server version 5.5.0 **Description** An issue was discovered that allows an attacker to craft a malicious .docx file and exploit the `NSFileDownloader` function. This exploitation enables the attacker to pass parameters to a binary, such as `curl` or `wget`, and remotely execute code on a victim's server. **Recommendations** For ONLYOFFICE Document Server version 5.5.0, as a temporary workaround, consider disabling the `NSFileDownloader` function until a patch is available. Restrict access to the server to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ONLYOFFICE Document Server version 5.5.0 **Description** An issue was discovered that allows an attacker to craft a malicious .docx file and exploit the unzip function. This can lead to rewriting a binary and remotely executing code on a victim's server. **Recommendations** For ONLYOFFICE Document Server version 5.5.0, consider disabling the unzip function for .docx files until a patch is available. Restrict access to the server to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ONLYOFFICE Document Server version 5.5.0 **Description** An issue was discovered that allows an attacker to craft a malicious .docx file and exploit XML injection. This can lead to entering an attacker-controlled parameter into the x2t binary, potentially allowing the attacker to rewrite the binary and/or libxcb.so.1, and execute code on a victim's server. **Recommendations** For ONLYOFFICE Document Server version 5.5.0, consider restricting the processing of .docx files from untrusted sources until a fix is available. As a temporary workaround, restrict access to the x2t binary to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Postgresql versions prior to 10.5 Postgresql versions prior to 9.6.10 Postgresql versions prior to 9.5.14 Postgresql versions prior to 9.4.19 Postgresql versions prior to 9.3.24 **Description** A vulnerability was found in libpq, the default PostgreSQL client library, where it failed to properly reset its internal state between connections. If an affected version of libpq was used with `host` or `hostaddr` connection parameters from untrusted input, attackers could bypass client-side connection security features, obtain access to higher privileged connections, or potentially cause other impact through SQL injection by causing the `PQescape()` function to malfunction. **Recommendations** For versions prior to 10.5, update to version 10.5 or later. For versions prior to 9.6.10, update to version 9.6.10 or later. For versions prior to 9.5.14, update to version 9.5.14 or later. For versions prior to 9.4.19, update to version 9.4.19 or later. For versions prior to 9.3.24, update to version 9.3.24 or later. As a temporary workaround, consider restricting the use of the `host` and `hostaddr` connection parameters to trusted input only, until a patch is available.

Name of the Vulnerable Software and Affected Versions: sanitize-html versions 1.11.1 and below Description: The issue concerns a cross-site scripting (XSS) vulnerability in certain scenarios. When at least one non-text tag is allowed, the result is a potential XSS vulnerability. This occurs when the `allowedTags` parameter includes at least one `nonTextTag`. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. Recommendations: For versions 1.11.1 and below, update to version 1.11.4 or later. As a temporary workaround, consider restricting the use of the `allowedTags` parameter to exclude `nonTextTags` until a patch is available. Avoid using the `allowedTags` parameter with `nonTextTags` in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** LibreOffice versions prior to 5.4.5 LibreOffice versions 6.x prior to 6.0.1 **Description** The issue is related to the COM.MICROSOFT.WEBSERVICE function in LibreOffice, which allows remote attackers to read arbitrary files via =WEBSERVICE calls in a document. This is due to inadequate management of registration data. An attacker can exploit this issue by sending a specially crafted request to gain access to protected information. **Recommendations** For versions prior to 5.4.5, update to version 5.4.5 or later. For versions 6.x prior to 6.0.1, update to version 6.0.1 or later. As a temporary workaround, consider disabling the `COM.MICROSOFT.WEBSERVICE` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 50.1 Firefox ESR versions prior to 45.6 Thunderbird versions prior to 45.6 **Description** The issue involves event handlers on "marquee" elements being executed despite a strict Content Security Policy (CSP) that disallows inline JavaScript. **Recommendations** For Firefox versions prior to 50.1, update to version 50.1 or later. For Firefox ESR versions prior to 45.6, update to version 45.6 or later. For Thunderbird versions prior to 45.6, update to version 45.6 or later.