Anna

**Name of the Vulnerable Software and Affected Versions** Microsoft Exchange Server (affected versions not specified) **Description** The issue is related to insufficient protection of service data during NTLM authentication, specifically with the IsUNCPath method. This can allow a remote attacker to conduct spoofing attacks. The vulnerability may enable an attacker to influence the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions 9.0.0 through 9.0.2 Concrete CMS versions 8.5.7 and below **Description** The issue allows an attacker to download zip files over HTTP and execute code from those zip files, potentially leading to a remote code execution (RCE). This is resolved by enforcing `concrete secure` instead of `concrete`, ensuring Concrete CMS only makes requests over HTTPS, even if a request comes in via HTTP. **Recommendations** For Concrete CMS versions 9.0.0 through 9.0.2, update to a version that enforces `concrete secure` instead of `concrete` to ensure requests are made over HTTPS. For Concrete CMS versions 8.5.7 and below, update to a version that enforces `concrete secure` instead of `concrete` to ensure requests are made over HTTPS. As a temporary workaround, consider restricting the ability to download zip files over HTTP until a patch is available.