Fabian Bräunlein

**Name of the Vulnerable Software and Affected Versions** Microsoft Office (affected versions not specified) **Description** The issue is related to incorrect code generation management in Microsoft Office. It allows a remote attacker to execute arbitrary code. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Dell EMC iDRAC9 versions prior to 4.40.00.00 **Description** The issue allows a remote unauthenticated attacker to potentially exploit a DOM-based cross-site scripting vulnerability by tricking a victim application user into supplying malicious HTML or JavaScript code to the DOM environment in the browser. This malicious code is then executed by the web browser in the context of the vulnerable web application. **Recommendations** For versions prior to 4.40.00.00, update to version 4.40.00.00 or later to resolve the issue. As a temporary workaround, consider restricting access to the web application to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache OpenOffice versions prior to 4.1.10 **Description** The issue is related to the handling of non-http(s) hyperlinks in Apache OpenOffice, which can lead to untrusted code execution if a link is specifically crafted. This problem has existed since about 2006. It is recommended to be careful when opening documents from unknown and unverified sources. **Recommendations** For versions prior to 4.1.10, consider avoiding the use of non-http(s) hyperlinks in documents until a patch is available. As a temporary workaround, users should exercise caution when opening documents from unknown sources and avoid clicking on suspicious links. In the upcoming version 4.1.10, a security warning will be displayed when opening potentially dangerous hyperlinks, giving the user the option to continue or cancel the action.

**Name of the Vulnerable Software and Affected Versions** Nextcloud Desktop Client versions prior to 3.1.3 **Description** The issue is related to resource injection due to missing validation of URLs, allowing a malicious server to execute remote commands. User interaction is needed for exploitation. **Recommendations** For Nextcloud Desktop Client versions prior to 3.1.3, update to version 3.1.3 or later to resolve the issue. As a temporary workaround, consider restricting access to untrusted servers to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: KDE Discover versions prior to 5.21.3 KDE Discover versions prior to 5.18.7 Description: The issue arises from the automatic creation of links to potentially dangerous URLs based on the content of the store.kde.org web site. These URLs are neither https:// nor http://. Recommendations: For versions prior to 5.21.3, update to version 5.21.3 or later. For versions prior to 5.18.7, update to version 5.18.7 or later.

**Name of the Vulnerable Software and Affected Versions** WinSCP versions prior to 5.17.10 **Description** The issue allows remote attackers to execute arbitrary programs when the URL handler encounters a crafted URL that loads session settings. This is exploitable in a default installation in which WinSCP is the handler for sftp:// URLs. **Recommendations** For versions prior to 5.17.10, update to version 5.17.10 or later to resolve the issue. As a temporary workaround, consider restricting the use of the URL handler for sftp:// URLs until a patch is applied.