Anssi

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A vulnerability in the Linux kernel has been resolved. The issue was related to the HID pidff, where the pool report was sometimes incorrect, causing problems on certain devices, such as the VRS DirectForce PRO. The fix involves refetching the pool report before accessing its fields to prevent potential issues, including infinite loop scenarios. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Flowplayer HTML5 version 5.4.1 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `callback` parameter in the Flash fallback feature. This is related to a previous issue. **Recommendations** For version 5.4.1, avoid using the `callback` parameter in the Flash fallback feature until a fix is available. As a temporary workaround, consider restricting access to the Flash fallback feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Flowplayer HTML5 version 5.4.3 **Description** The issue is related to a cross-site scripting (XSS) vulnerability in the Flash fallback feature. This vulnerability allows remote attackers to inject arbitrary web script or HTML by using URL encoding within the `callback` parameter name. **Recommendations** For Flowplayer HTML5 version 5.4.3, consider disabling the Flash fallback feature or restricting the use of the `callback` parameter to minimize the risk of exploitation. Avoid using URL encoding within the `callback` parameter name until the issue is resolved.