Brendan Coles

**Name of the Vulnerable Software and Affected Versions** Wireshark versions 4.6.0 through 4.6.4 Wireshark versions 4.4.0 through 4.4.14 **Description** A crash in the dissection engine during zlib decompression can lead to a denial of service. **Recommendations** Update Wireshark versions 4.6.0 through 4.6.4 to a version newer than 4.6.4. Update Wireshark versions 4.4.0 through 4.4.14 to a version newer than 4.4.14.

**Name of the Vulnerable Software and Affected Versions** Wireshark versions 4.6.0 through 4.6.4 Wireshark versions 4.4.0 through 4.4.14 **Description** A crash in the AFP Spotlight protocol dissector allows for a denial of service. A dissector is a software component that breaks down network packets into a readable format. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Wireshark versions 4.6.0 through 4.6.4 Wireshark versions 4.4.0 through 4.4.14 **Description** A crash in the ICMPv6 PvD protocol dissector allows for a denial of service. A dissector is a software component that breaks down network packets into a readable format. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Wireshark versions 4.6.0 through 4.6.4 **Description** A flaw in the DLMS/COSEM protocol dissector can lead to an infinite loop. **Recommendations** Update Wireshark to a version later than 4.6.4.

**Name of the Vulnerable Software and Affected Versions** Wireshark versions 4.6.0 through 4.6.4 Wireshark versions 4.4.0 through 4.4.14 **Description** A crash in the FC-SWILS protocol dissector allows for a denial of service. **Recommendations** Update Wireshark versions 4.6.0 through 4.6.4 to a version newer than 4.6.4. Update Wireshark versions 4.4.0 through 4.4.14 to a version newer than 4.4.14.

**Name of the Vulnerable Software and Affected Versions** Wireshark versions 4.6.0 through 4.6.4 Wireshark versions 4.4.0 through 4.4.14 **Description** An infinite loop in the SMB2 protocol dissector can lead to a denial of service. **Recommendations** Update Wireshark versions 4.6.0 through 4.6.4 to a version newer than 4.6.4. Update Wireshark versions 4.4.0 through 4.4.14 to a version newer than 4.4.14.

**Name of the Vulnerable Software and Affected Versions** Wireshark versions 4.6.0 through 4.6.4 Wireshark versions 4.4.0 through 4.4.14 **Description** A crash in the BT-DHT protocol dissector allows a denial of service. **Recommendations** Update Wireshark versions 4.6.0 through 4.6.4 to a version newer than 4.6.4. Update Wireshark versions 4.4.0 through 4.4.14 to a version newer than 4.4.14.

**Name of the Vulnerable Software and Affected Versions** Wireshark versions 4.6.0 through 4.6.4 Wireshark versions 4.4.0 through 4.4.14 **Description** A crash in the Monero protocol dissector allows for a denial of service. **Recommendations** Update Wireshark versions 4.6.0 through 4.6.4 to a version newer than 4.6.4. Update Wireshark versions 4.4.0 through 4.4.14 to a version newer than 4.4.14.

**Name of the Vulnerable Software and Affected Versions** Actual Analyzer versions prior to 2014-08-29 **Description** The issue allows code execution via shell metacharacters because untrusted input is used for part of the input data passed to an eval operation. **Recommendations** For versions prior to 2014-08-29, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** DuckDuckGo version 4.2.0 **Description** The issue concerns the WebRTC component, which can disclose a private IP address in a STUN request after visiting a website that attempts to gather complete client information, such as https://ip.voidsec.com. **Recommendations** For DuckDuckGo version 4.2.0, consider disabling WebRTC as a temporary workaround until a patch is available.

**Name of the Vulnerable Software and Affected Versions** SolidWorks Workgroup PDM version 2014 **Description** The issue allows remote attackers to write to arbitrary files via a .. (dot dot) in the filename in a file upload, potentially leading to unauthorized file modifications. **Recommendations** For SolidWorks Workgroup PDM version 2014, consider restricting file upload capabilities to trusted sources until a fix is available. As a temporary workaround, implement strict validation and sanitization of filenames to prevent directory traversal attacks.

**Name of the Vulnerable Software and Affected Versions** ProjectSend (formerly cFTP) versions r100 through r561 **Description** The issue allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request to the file in the upload/files/ or upload/temp/ directory. This is due to an unrestricted file upload vulnerability in the process-upload.php file. **Recommendations** For versions r100 through r561, restrict access to the upload/files/ and upload/temp/ directories to prevent direct requests to uploaded files. As a temporary workaround, consider disabling the file upload functionality in process-upload.php until a patch is available.

**Name of the Vulnerable Software and Affected Versions** VMware Hyperic HQ version 4.6.6 **Description** The issue allows remote authenticated administrators to execute arbitrary code. This is achieved through a Runtime.getRuntime().exec call in the Groovy script console. **Recommendations** For version 4.6.6, consider restricting access to the Groovy script console to minimize the risk of exploitation. As a temporary workaround, limit the use of the Runtime.getRuntime().exec call until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ruby on Rails versions 2.3.11 and earlier Ruby on Rails versions 3.0.4 and earlier **Description** The issue allows remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value in the `mail to` helper when javascript encoding is used. This is a cross-site scripting (XSS) issue. **Recommendations** For Ruby on Rails versions 2.3.11 and earlier, update to version 2.3.11 or later. For Ruby on Rails versions 3.0.4 and earlier, update to version 3.0.4 or later. As a temporary workaround, consider disabling the `mail to` helper function until a patch is available. Restrict input for the `name` and `email` values in the `mail to` helper to minimize the risk of exploitation.