Ben Ford

**Name of the Vulnerable Software and Affected Versions** Asterisk versions prior to 16.25.2 Asterisk versions prior to 18.11.2 Asterisk versions prior to 19.3.2 **Description** An issue was discovered in Asterisk when using STIR/SHAKEN, allowing the download of files that are not certificates. These files could be much larger than expected, leading to Resource Exhaustion. **Recommendations** For versions prior to 16.25.2, update to version 16.25.2 or later to resolve the issue. For versions prior to 18.11.2, update to version 18.11.2 or later to resolve the issue. For versions prior to 19.3.2, update to version 19.3.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Red Hat Network Satellite versions 5.6 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the `subject` or `content` values of a note in a system.addNote XML-RPC call, potentially leading to cross-site scripting (XSS) attacks. **Recommendations** For Red Hat Network Satellite version 5.6, as a temporary workaround, consider restricting access to the system.addNote XML-RPC call until a patch is available. Avoid using the `subject` and `content` values in the system.addNote call to minimize the risk of exploitation.