Derek Callaway

**Name of the Vulnerable Software and Affected Versions** Cygwin setup.exe version prior to 2.573.2.3 **Description** The issue is related to the improper verification of package authenticity, allowing remote Cygwin mirror servers or man-in-the-middle attackers to execute arbitrary code via a package list containing the MD5 checksum of a Trojan horse package. **Recommendations** For Cygwin setup.exe version prior to 2.573.2.3, update to version 2.573.2.3 or later to resolve the issue. As a temporary workaround, consider verifying the authenticity of packages manually until a patch is applied. Restrict access to untrusted Cygwin mirror servers to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** IronWebMail versions prior to 6.1.1 HotFix-17 **Description** The issue allows remote attackers to read arbitrary files via a GET request to the "IM FILE" identifier with double-url-encoded "../" sequences ("%252e%252e/"). This is a directory traversal vulnerability. **Recommendations** For versions prior to 6.1.1 HotFix-17, update to version 6.1.1 HotFix-17 or later to resolve the issue. As a temporary workaround, consider restricting access to the IM FILE identifier to minimize the risk of exploitation.