David Miller

**Name of the Vulnerable Software and Affected Versions** bestinformed Infoclient (affected versions not specified) **Description** A low-privileged user can change the server address of the bestinformed Server to which the bestinformed Infoclient connects, allowing them to escalate their privileges by abusing certain features of the bestinformed Web server. These features include pushing malicious update packages and arbitrary registry read as nt authoritysystem. An attacker can escalate their privileges to nt authoritysystem on the Windows client running the bestinformed Infoclient. This attack is not possible if a custom configuration (Infoclient.ini) containing the flags ShowOnTaskbar=false or DisabledItems=stPort,stAddress is deployed. **Recommendations** For bestinformed Infoclient, consider implementing a custom configuration (Infoclient.ini) with the flags ShowOnTaskbar=false or DisabledItems=stPort,stAddress to prevent the server address from being changed. As a temporary workaround, restrict access to the bestinformed Infoclient GUI to minimize the risk of exploitation. Avoid using the default server address configuration until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BestInformed Web (affected versions not specified) **Description** The issue arises from improper sanitization of user input in the BestInformed Web application, leading to multiple authenticated stored cross-site scripting vulnerabilities. An authenticated attacker can compromise the sessions of other users on the server by injecting JavaScript code into their sessions. This could enable a form of horizontal movement, as the compromised users might have more privileges than the attacker. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** bestinformed Web (affected versions not specified) **Description** The issue arises from improper sanitization of user input in the bestinformed Web application, leading to multiple unauthenticated stored cross-site scripting vulnerabilities. An unauthenticated attacker can inject JavaScript code into user sessions, compromising them and potentially abusing the privileges of those users within the application. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BestInformed Web (affected versions not specified) **Description** The issue allows an authenticated user in the BestInformed Web application to execute commands on the underlying server running the application, which is a case of remote code execution. This can be achieved by creating `ScriptVars` with the type `script` and previewing them, for example, by creating a new information entry. By default, admin users have the necessary permissions, but with the granular permission system, these permissions can be assigned to other users as well. If an account with the correct permissions is compromised, an attacker can execute commands on the server running the BestInformed Web application. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Arista Wireless Access Points (affected versions not specified) Description: The issue allows an entity with the ability to authenticate via SSH to an affected Arista Wireless Access Point as the `config` user to cause a privilege escalation via spawning a bash shell. The SSH CLI session does not require high permissions to exploit this issue, but the `config` password is required to establish the session. The spawned shell is able to obtain root privileges. Recommendations: At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Collabora Online versions prior to 23.05.10.1 **Description** A stored cross-site scripting issue was found in Collabora Online, a collaborative online office suite based on LibreOffice. An attacker could create a document with an XSS payload in document text referenced by a field, which, if hovered over to produce a tooltip, could be executed by the user's browser. **Recommendations** For versions prior to 23.05.10.1, upgrade to Collabora Online 23.05.10.1 or higher to resolve the issue. As a temporary workaround, consider restricting the use of tooltips in documents to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** October CMS versions prior to 2.2.34 October CMS versions prior to 3.0.66 **Description** This issue affects installations that rely on the safe mode restriction, commonly used when providing public access to the admin panel. An attacker with access to the admin panel and permission to open the "Editor" section can bypass the Safe Mode (`cms.safe mode`) restriction to introduce new PHP code in a CMS template using a specially crafted request. **Recommendations** For versions prior to 2.2.34, update to version 2.2.34 or later. For versions prior to 3.0.66, update to version 3.0.66 or later. As a temporary workaround, consider restricting access to the "Editor" section in the admin panel until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Octobercms versions prior to 1.0.474 Octobercms versions prior to 1.1.10 **Description** Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. In affected versions, user input was not properly sanitized before rendering. An authenticated user with the permissions to create, modify, and delete website pages can exploit this issue to bypass `cms.safe mode` / `cms.enableSafeMode` in order to execute arbitrary code. This issue only affects admin panels that rely on safe mode and restricted permissions. To exploit this issue, an attacker must first have access to the backend area. **Recommendations** For versions prior to 1.0.474, update to Build 474 (v1.0.474) or apply the patch from https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe to your installation manually. For versions prior to 1.1.10, update to v1.1.10 or apply the patch from https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe to your installation manually.

**Name of the Vulnerable Software and Affected Versions** October CMS versions prior to 1.0.473 and 1.1.6 **Description** The issue allows an attacker with "create, modify and delete website pages" privileges in the backend to execute PHP code by running specially crafted Twig code in the template markup. **Recommendations** For versions prior to 1.0.473, update to version 1.0.473 or apply the patch to the installation manually as a workaround. For versions prior to 1.1.6, update to version 1.1.6 or apply the patch to the installation manually as a workaround.

**Name of the Vulnerable Software and Affected Versions** Plone versions prior to 5.2.5 **Description** The issue allows for Server-Side Request Forgery (SSRF) via the lxml parser. This affects various components including Diazo themes, Dexterity TTW schemas, and modeleditors in plone.app.theming, plone.app.dexterity, and plone.supermodel. **Recommendations** For Plone versions prior to 5.2.5, update to version 5.2.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the lxml parser until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Plone versions through 5.2.4 **Description** The issue allows remote authenticated managers to conduct Server-Side Request Forgery (SSRF) attacks via an event ical URL. This enables them to read one line of a file. **Recommendations** For versions through 5.2.4, update to a version that contains a fix for this issue to prevent SSRF attacks. As a temporary workaround, consider restricting access to the event ical URL to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 2.4.36.5 Linux kernel versions prior to 2.6.25.3 **Description** The issue concerns the `sparc mmap check` function in `arch/sparc/kernel/sys sparc.c` and the `sparc64 mmap check` function in `arch/sparc64/kernel/sys sparc.c`. These functions omit some virtual-address range checks when the `mmap` `MAP FIXED` bit is not set. This allows local users to cause a denial of service, resulting in a system panic, via unspecified `mmap` calls. **Recommendations** For Linux kernel versions prior to 2.4.36.5, update to version 2.4.36.5 or later to resolve the issue. For Linux kernel versions prior to 2.6.25.3, update to version 2.6.25.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Bugzilla versions 2.14.x through 2.14.4 Bugzilla versions 2.16.x through 2.16.1 Bugzilla versions 2.17.x through 2.17.2 **Description** The issue arises from the default .htaccess scripts in Bugzilla not including filenames for backup copies of the localconfig file. This could allow remote attackers to obtain a database password by directly accessing the backup file, which may be created by editors like vi and Emacs. **Recommendations** For Bugzilla versions 2.14.x through 2.14.4, update to version 2.14.5 or later. For Bugzilla versions 2.16.x through 2.16.1, update to version 2.16.2 or later. For Bugzilla versions 2.17.x through 2.17.2, update to version 2.17.3 or later.

**Name of the Vulnerable Software and Affected Versions** Bugzilla versions 2.14.x through 2.14.4 Bugzilla versions 2.16.x through 2.16.1 Bugzilla versions 2.17.x through 2.17.2 **Description** The issue allows local users to modify or delete data due to world-writable permissions being set for the data/mining directory by the data collection script. **Recommendations** For versions 2.14.x through 2.14.4, update to version 2.14.5 or later. For versions 2.16.x through 2.16.1, update to version 2.16.2 or later. For versions 2.17.x through 2.17.2, update to version 2.17.3 or later.