Daniel Kahn Gillmor

Name of the Vulnerable Software and Affected Versions: ZPanel versions prior to 10.1.0 Description: The issue allows for Remote Command Execution. Recommendations: For versions prior to 10.1.0, update to version 10.1.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** nginx (affected versions not specified) **Description** The issue concerns the nginx http proxy module, which does not verify the peer identity of the HTTPS origin server. This lack of verification could facilitate a man-in-the-middle attack (MITM). **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Vaultive O365 versions prior to 4.5.21 **Description** The issue affects PGP/MIME encrypted messages processed by the Vaultive O365 frontend. When such messages are injected via IMAP or SMTP, their Content-Type is altered from 'multipart/encrypted' to 'text/plain'. This modification causes most PGP/MIME-capable mail user agents to fail at decrypting the messages properly, resulting in a Denial of Service. A common consequence of this issue is that senders are requested to resend the emails without encryption, potentially leading to Information Disclosure. **Recommendations** For versions prior to 4.5.21, update to version 4.5.21 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Node Packaged Modules (npm) versions prior to 1.3.3 **Description** The issue allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives. This can potentially result in local privilege escalation. **Recommendations** Update to version 1.3.3 or later.

**Name of the Vulnerable Software and Affected Versions** poppler versions prior to 0.24.3 **Description** The issue is related to a format string vulnerability in the extractPages function. This vulnerability allows remote attackers to cause a denial of service, resulting in a crash, by including format string specifiers in a destination filename. **Recommendations** For versions prior to 0.24.3, update to version 0.24.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** poppler versions prior to 0.24.2 **Description** The issue is a stack-based buffer overflow in the `extractPages` function, located in `utils/pdfseparate.cc`, which can be exploited by remote attackers. This can lead to a denial of service (crash) and potentially allow the execution of arbitrary code via a source filename. **Recommendations** For versions prior to 0.24.2, update to version 0.24.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the `extractPages` function in `utils/pdfseparate.cc` until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** mod fcgid module version 2.3.6 for the Apache HTTP Server **Description** The issue allows remote attackers to cause a denial of service, specifically memory consumption, by sending a series of HTTP requests. This is due to the mod fcgid module not recognizing the FcgidMaxProcessesPerClass directive for a virtual host, leading to a process count higher than the intended limit. **Recommendations** For mod fcgid module version 2.3.6, consider disabling the module or restricting its use until a patch is available to prevent remote attackers from causing a denial of service.

**Name of the Vulnerable Software and Affected Versions** PuTTY versions 0.59 and earlier **Description** The issue allows local users to gain sensitive information by reading certain files due to weak file permissions. This affects (1) ppk files containing private keys generated by puttygen and (2) session logs created by putty. **Recommendations** For PuTTY versions 0.59 and earlier, consider changing the file permissions of ppk files and session logs to restrict access and prevent unauthorized reading of sensitive information. As a temporary workaround, restrict access to the puttygen and putty applications until a fix is applied.