Dan Smith

**Name of the Vulnerable Software and Affected Versions** Drupal Tagify versions prior to 1.2.49 **Description** The Tagify module for Drupal does not properly sanitize user-provided input before using it in JavaScript templates within the Tagify widget. This allows for the execution of arbitrary JavaScript code in a user's browser when content is created or edited. The issue stems from insufficient input neutralization during web page generation, leading to a Cross-Site Scripting (XSS) condition. **Recommendations** Update Drupal Tagify to version 1.2.49 or later.

**Name of the Vulnerable Software and Affected Versions** OpenStack Nova (affected versions not specified) **Description** The software calls `qemu-img` without format restrictions when resizing images. A malicious QCOW header could potentially convince Nova's flat image backend to execute an unsafe image resize operation. The `qemu-img` function is involved in this issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Drupal Authenticator Login versions 0.0.0 through 2.1.3 Description: An Authentication Bypass Using an Alternate Path or Channel issue exists in Drupal Authenticator Login, allowing for Authentication Bypass. Recommendations: Update to version 2.1.4 or later.

Name of the Vulnerable Software and Affected Versions: Drupal Two-factor Authentication (TFA) versions 0.0.0 through 1.10.0 Description: The issue affects the two-factor authentication (TFA) mechanism, allowing exploitation of incorrectly configured access control security levels due to a privilege defined with unsafe actions. Recommendations: For versions 0.0.0 through 1.10.0, update to version 1.11.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** OpenStack Ironic versions prior to 26.0.1 Ironic-python-agent versions prior to 9.13.1 **Description** The issue concerns a vulnerability in image processing, where a crafted image could be used by an authenticated user to exploit undesired behaviors in qemu-img, potentially leading to unauthorized access to sensitive data. **Recommendations** For OpenStack Ironic versions prior to 26.0.1, update to version 26.0.1 or later to resolve the issue. For Ironic-python-agent versions prior to 9.13.1, update to version 9.13.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of crafted images in the image processing functionality until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Apache Geode versions up to 1.15.0 **Description** The issue is related to a Cross-Site Scripting (XSS) vulnerability via data injection when using the Pulse web application to view Region entries. **Recommendations** For Apache Geode versions up to 1.15.0, update to a version later than 1.15.0 to resolve the issue.