Dawid Golunski

**Name of the Vulnerable Software and Affected Versions** Git LFS versions 2.12.0 Git versions prior to 2.29.2 **Description** The issue allows Remote Code Execution (RCE) on Windows systems when Git LFS operates on a malicious repository with a `git.bat` or `git.exe` file in the current directory. This occurs because on Windows, Go includes (and prefers) the current directory when the name of a command run does not contain a directory separator. The problem does not affect Unix systems. **Recommendations** For Git LFS version 2.12.0, update to version 2.12.1 or later. For Git versions prior to 2.29.2, update to version 2.29.2 or later. As a temporary workaround, consider avoiding untrusted repositories until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Vanilla Forums versions prior to 2.3.1 **Description** The issue allows remote attackers to spoof the email domain in sent messages and potentially obtain sensitive information via a crafted HTTP Host header. This can be demonstrated by a password reset request. **Recommendations** For versions prior to 2.3.1, update to version 2.3.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the password reset functionality until the update is applied.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 4.7.5 **Description** The issue allows remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request. This is related to problematic use of the `SERVER NAME` variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Exploitation requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period, (2) the victim's e-mail system sends an autoresponse containing the original message, or (3) the victim manually composes a reply containing the original message. **Recommendations** For WordPress versions prior to 4.7.5, update to version 4.7.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the wp-login.php page to minimize the risk of exploitation. Additionally, users can restrict the use of the `wp-login.php?action=lostpassword` endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** SquirrelMail versions prior to 20170427 0200-SVN **Description** The issue allows post-authentication remote code execution via a mishandled sendmail.cf file in a popen call. This can be exploited to execute arbitrary shell commands on the remote server. The problem lies in the Deliver SendMail.class.php file, specifically in the initStream function, which incorrectly uses escapeshellcmd() to sanitize the sendmail command. The `sendmail` command line, particularly the `-f$envelopefrom` part, is vulnerable to injection of arbitrary command parameters due to the lack of whitespace escaping. If the target server uses sendmail and SquirrelMail is configured to use it, an attacker can trick sendmail into using a malicious sendmail.cf file, leading to arbitrary command execution. This can be achieved by uploading a sendmail.cf file as an email attachment and then injecting the filename with the `-C` option in the "Options > Personal Informations > Email Address" setting. **Recommendations** For SquirrelMail versions prior to 20170427 0200-SVN, as a temporary workaround, consider disabling the use of sendmail as a command-line program in SquirrelMail configuration until a patch is available. Restrict access to the Deliver SendMail.class.php file to minimize the risk of exploitation. Avoid using the `envelopefrom` variable in the sendmail command line until the issue is resolved. Update to a version newer than 20170427 0200-SVN to fully resolve the issue.

**Name of the Vulnerable Software and Affected Versions** CakePHP versions 3.2.4 and earlier **Description** The issue allows remote attackers to spoof their IP via the `CLIENT-IP HTTP` header. This is due to a problem in the `clientIp` function. **Recommendations** For versions 3.2.4 and earlier, consider disabling the `clientIp` function until a patch is available. Restrict access to the `CLIENT-IP HTTP` header to minimize the risk of IP spoofing.

**Name of the Vulnerable Software and Affected Versions** zend-mail component versions prior to 2.4.11 zend-mail component versions 2.5.x zend-mail component versions 2.6.x zend-mail component versions 2.7.x prior to 2.7.2 Zend Framework versions prior to 2.4.11 **Description** The issue allows remote attackers to potentially execute arbitrary code by passing extra parameters to the mail command. This is achieved through a crafted e-mail address containing a backslash double quote (") in the `setFrom` function of the Sendmail adapter in the zend-mail component. **Recommendations** For versions prior to 2.4.11, update to version 2.4.11 or later. For versions 2.5.x, update to version 2.7.2 or later. For versions 2.6.x, update to version 2.7.2 or later. For versions 2.7.x prior to 2.7.2, update to version 2.7.2. As a temporary workaround, consider restricting the use of the `setFrom` function in the Sendmail adapter until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Swift Mailer versions prior to 5.4.5 **Description** The issue allows remote attackers to potentially execute arbitrary code by passing extra parameters to the mail command. This can be achieved by including a (backslash double quote) in a crafted e-mail address within the From, ReturnPath, or Sender header. **Recommendations** For versions prior to 5.4.5, update to version 5.4.5 or later to resolve the issue. As a temporary workaround, consider restricting the use of special characters in e-mail addresses within the From, ReturnPath, or Sender headers until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** PHPMailer versions prior to 5.2.18 Wordpress version 4.6 **Description** The issue allows remote attackers to execute arbitrary code. This can be achieved by passing extra parameters to the mail command via a crafted Sender property in PHPMailer. There is a potential for remote code execution in Wordpress 4.6. **Recommendations** For PHPMailer versions prior to 5.2.18, update to version 5.2.18 or later to resolve the issue. For Wordpress version 4.6, update to a newer version to mitigate the risk of remote code execution.

**Name of the Vulnerable Software and Affected Versions** postgresql-common versions prior to 134wheezy5 postgresql-common versions prior to 165+deb8u2 postgresql-common versions prior to 178 postgresql-common versions prior to 129ubuntu1.2 postgresql-common versions prior to 154ubuntu1.1 postgresql-common versions prior to 173ubuntu0.1 postgresql-common versions prior to 179ubuntu0.1 postgresql-common versions prior to 184ubuntu1.1 **Description** The issue is related to a symlink attack on a logfile in /var/log/postgresql, allowing local users to gain root privileges. The vulnerability is caused by incorrect link resolution before accessing a file, which can be exploited to gain unauthorized access to confidential data, cause a denial of service, and impact data integrity. **Recommendations** For versions prior to 134wheezy5, update to version 134wheezy5 or later. For versions prior to 165+deb8u2, update to version 165+deb8u2 or later. For versions prior to 178, update to version 178 or later. For versions prior to 129ubuntu1.2, update to version 129ubuntu1.2 or later. For versions prior to 154ubuntu1.1, update to version 154ubuntu1.1 or later. For versions prior to 173ubuntu0.1, update to version 173ubuntu0.1 or later. For versions prior to 179ubuntu0.1, update to version 179ubuntu0.1 or later. For versions prior to 184ubuntu1.1, update to version 184ubuntu1.1 or later.

**Name of the Vulnerable Software and Affected Versions** Nagios Core versions prior to 4.2.2 **Description** The issue allows remote attackers to read or write to arbitrary files by spoofing a crafted response from the Nagios RSS feed server. This is due to an incomplete fix for a previous issue. **Recommendations** For versions prior to 4.2.2, update to version 4.2.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Nagios Core versions prior to 4.2.4 **Description** The issue allows local users with access to an account in the nagios group to gain root privileges via a symlink attack on the log file. This can be leveraged by remote attackers. **Recommendations** For Nagios Core versions prior to 4.2.4, update to version 4.2.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the log file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** nginx versions prior to 1.6.2-5+deb8u3 on Debian jessie nginx versions prior to 1.4.6-1ubuntu3.6 on Ubuntu 14.04 LTS nginx versions prior to 1.10.0-0ubuntu0.16.04.3 on Ubuntu 16.04 LTS nginx versions prior to 1.10.1-0ubuntu1.1 on Ubuntu 16.10 nginx versions prior to 1.10.2-r3 on Gentoo **Description** The issue allows local users with access to the web server user account to gain root privileges via a symlink attack on the error log. **Recommendations** For Debian jessie, update to version 1.6.2-5+deb8u3 or later. For Ubuntu 14.04 LTS, update to version 1.4.6-1ubuntu3.6 or later. For Ubuntu 16.04 LTS, update to version 1.10.0-0ubuntu0.16.04.3 or later. For Ubuntu 16.10, update to version 1.10.1-0ubuntu1.1 or later. For Gentoo, update to version 1.10.2-r3 or later.

**Name of the Vulnerable Software and Affected Versions** Oracle MySQL versions 5.5.51 and earlier, 5.6.32 and earlier, 5.7.14 and earlier MariaDB (affected versions not specified) Percona Server versions 5.5.51-38.2 and earlier, 5.6.32-78.1 and earlier, 5.7.14-8 and earlier Percona XtraDB Cluster versions 5.5.41-37.0 and earlier, 5.6.32-25.17 and earlier, 5.7.14-26.17 and earlier **Description** The issue allows local users with access to the mysql account to gain root privileges via a symlink attack on error logs and possibly other files when using file-based logging. It can also be exploited by a high-privileged attacker with network access via multiple protocols to compromise the MySQL Server, resulting in unauthorized ability to cause a hang or frequently repeatable crash of the MySQL Server. **Recommendations** For Oracle MySQL versions 5.5.51 and earlier, 5.6.32 and earlier, 5.7.14 and earlier, update to a version later than the affected ones. For MariaDB, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For Percona Server versions 5.5.51-38.2 and earlier, 5.6.32-78.1 and earlier, 5.7.14-8 and earlier, update to a version later than the affected ones. For Percona XtraDB Cluster versions 5.5.41-37.0 and earlier, 5.6.32-25.17 and earlier, 5.7.14-26.17 and earlier, update to a version later than the affected ones. As a temporary workaround, consider disabling file-based logging until a patch is available. Restrict access to the mysql account to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache Tomcat on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions (affected versions not specified) **Description** The issue is related to weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the tomcat group. **Recommendations** For Apache Tomcat on affected Linux distributions, consider restricting access to the tomcat group or modifying the permissions of /usr/lib/tmpfiles.d/tomcat.conf to prevent local users from gaining root privileges. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apache Tomcat versions prior to 7.0.56-3+deb8u4 Apache Tomcat versions prior to 8.0.14-1+deb8u3 Apache Tomcat 6 versions prior to 6.0.35-1ubuntu3.8 Apache Tomcat 7 versions prior to 7.0.52-1ubuntu0.7 Apache Tomcat 8 versions prior to 8.0.32-1ubuntu1.2 **Description** The issue allows local users with access to the Tomcat account to gain root privileges via a symlink attack on the Catalina log file. This can be demonstrated by an attack on the /var/log/tomcat7/catalina.out file. **Recommendations** For Apache Tomcat 6, update to version 6.0.35-1ubuntu3.8 or later. For Apache Tomcat 7 on Debian jessie, update to version 7.0.56-3+deb8u4 or later. For Apache Tomcat 7 on Ubuntu 14.04 LTS, update to version 7.0.52-1ubuntu0.7 or later. For Apache Tomcat 8 on Debian jessie, update to version 8.0.14-1+deb8u3 or later. For Apache Tomcat 8 on Ubuntu 16.04 LTS, update to version 8.0.32-1ubuntu1.2 or later.

**Name of the Vulnerable Software and Affected Versions** vBulletin versions prior to 3.8.7 Patch Level 6 vBulletin versions prior to 3.8.8 Patch Level 2 vBulletin versions prior to 3.8.9 Patch Level 1 vBulletin versions prior to 4.2.2 Patch Level 6 vBulletin versions prior to 4.2.3 Patch Level 2 vBulletin versions prior to 5.2.0 Patch Level 3 vBulletin versions prior to 5.2.1 Patch Level 1 vBulletin versions prior to 5.2.2 Patch Level 1 **Description** The media-file upload feature in vBulletin allows remote attackers to conduct Server-Side Request Forgery (SSRF) attacks via a crafted URL that results in a Redirection HTTP status code. This issue can be exploited by sending a specially crafted URL. **Recommendations** For versions prior to 3.8.7 Patch Level 6, update to 3.8.7 Patch Level 6 or later. For versions prior to 3.8.8 Patch Level 2, update to 3.8.8 Patch Level 2 or later. For versions prior to 3.8.9 Patch Level 1, update to 3.8.9 Patch Level 1 or later. For versions prior to 4.2.2 Patch Level 6, update to 4.2.2 Patch Level 6 or later. For versions prior to 4.2.3 Patch Level 2, update to 4.2.3 Patch Level 2 or later. For versions prior to 5.2.0 Patch Level 3, update to 5.2.0 Patch Level 3 or later. For versions prior to 5.2.1 Patch Level 1, update to 5.2.1 Patch Level 1 or later. For versions prior to 5.2.2 Patch Level 1, update to 5.2.2 Patch Level 1 or later.

**Name of the Vulnerable Software and Affected Versions** Adobe ColdFusion versions 10 through 10 before Update 21 Adobe ColdFusion versions 11 through 11 before Update 10 **Description** The issue is related to an XML External Entity (XXE) problem in the Office Open XML (OOXML) feature, allowing remote attackers to read arbitrary files or send TCP requests to intranet servers via a crafted OOXML spreadsheet containing an external entity declaration in conjunction with an entity reference. **Recommendations** For Adobe ColdFusion 10, apply Update 21 to resolve the issue. For Adobe ColdFusion 11, apply Update 10 to resolve the issue. As a temporary workaround, consider restricting the use of the OOXML feature until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Oracle MySQL versions 5.5.52 and earlier, 5.6.33 and earlier, 5.7.15 and earlier MariaDB versions prior to 5.5.51, 10.0.x prior to 10.0.27, and 10.1.x prior to 10.1.17 Percona Server versions prior to 5.5.51-38.1, 5.6.x prior to 5.6.32-78.0, and 5.7.x prior to 5.7.14-7 **Description** The issue allows local users to create arbitrary configurations and bypass certain protection mechanisms by setting `general log file` to a my.cnf configuration. This can be leveraged to execute arbitrary code with root privileges by setting `malloc lib`. The vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash of MySQL Server. **Recommendations** For Oracle MySQL versions 5.5.52 and earlier, 5.6.33 and earlier, 5.7.15 and earlier, consider disabling the `general log file` setting to prevent exploitation until a patch is available. For MariaDB versions prior to 5.5.51, 10.0.x prior to 10.0.27, and 10.1.x prior to 10.1.17, restrict access to the my.cnf configuration file to minimize the risk of exploitation. For Percona Server versions prior to 5.5.51-38.1, 5.6.x prior to 5.6.32-78.0, and 5.7.x prior to 5.7.14-7, avoid using the `malloc lib` setting in the my.cnf configuration until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GNU wget versions prior to 1.18 PAN-OS versions prior to 6.1.17 PAN-OS versions prior to 7.0.15 PAN-OS versions prior to 7.1.10 PAN-OS versions prior to 8.0.1 **Description** The issue is related to errors in security settings, allowing remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource. This can be exploited by an attacker to modify files. The estimated number of potentially affected devices is not provided. **Recommendations** For GNU wget versions prior to 1.18, update to version 1.18 or later. For PAN-OS versions prior to 6.1.17, update to version 6.1.17 or later. For PAN-OS versions prior to 7.0.15, update to version 7.0.15 or later. For PAN-OS versions prior to 7.1.10, update to version 7.1.10 or later. For PAN-OS versions prior to 8.0.1, update to version 8.0.1 or later. As a temporary workaround, consider restricting access to the Management Interface to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Exim versions prior to 4.86.2 **Description** The issue allows local users to gain privileges through the `perl startup` argument when Exim is installed setuid root. **Recommendations** For versions prior to 4.86.2, update to version 4.86.2 or later to resolve the issue. As a temporary workaround, consider disabling the setuid root installation of Exim until a patch is available. Restrict access to the `perl startup` argument to minimize the risk of exploitation.