Cedric Van Bockhaven

**Name of the Vulnerable Software and Affected Versions** Intel(R) Graphics software (affected versions not specified) **Description** The issue is related to improper access control in some Intel(R) Graphics software, which may allow an authenticated user to potentially enable escalation of privilege via local access. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Dell Power Manager versions prior to 3.14 **Description** The issue is related to an Improper Authorization vulnerability in the DPM service. A low-privileged malicious user could potentially exploit this vulnerability to elevate privileges on the system. **Recommendations** For versions prior to 3.14, update to version 3.14 or later to resolve the issue. As a temporary workaround, consider restricting access to the DPM service to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Windows Azure Pack versions prior to Rollup 13.1 **Description** A Cross-site Scripting (XSS) issue exists due to improper sanitization of user-provided input. This allows a remote attacker to perform cross-site scripting attacks with elevated privileges. **Recommendations** For Windows Azure Pack versions prior to Rollup 13.1, update to Rollup 13.1 or later to resolve the issue. As a temporary workaround, consider restricting user input to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MISP versions prior to 2.4.79 **Description** The issue is related to persistent XSS via comments in the `app/View/Helper/CommandHelper.php` file. It affects users of the same instance, as the comment field is not part of the MISP synchronization. **Recommendations** For versions prior to 2.4.79, update to version 2.4.79 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 4.1.2 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via a crafted character in a comment, potentially affecting WordPress installations that use MySQL without strict mode. This can be achieved by injecting a four-byte UTF-8 character or an invalid character that reaches the database layer. **Recommendations** For versions prior to 4.1.2, update to version 4.1.2 or later to resolve the issue. As a temporary workaround, consider restricting user input to prevent the injection of malicious characters.

**Name of the Vulnerable Software and Affected Versions** Plupload versions 2.1.2 WordPress versions 3.9.x through 4.1.1 **Description** A cross-site scripting (XSS) issue allows remote attackers to execute same-origin JavaScript functions via the `target` parameter. This can be demonstrated by executing a certain click function, related to ` init.as` and ` fireEvent.as` files. **Recommendations** For Plupload version 2.1.2, update to a version that fixes the XSS vulnerability. For WordPress versions 3.9.x through 4.1.1, update to version 4.1.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the `plupload.flash.swf` shim to minimize the risk of exploitation.