Febin Mon Saji

**Name of the Vulnerable Software and Affected Versions** MyASUS (affected versions not specified) **Description** An issue involving insecure storage of sensitive keys was identified in MyASUS. This could potentially allow an unauthorized actor to obtain a token used for communication with certain services. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MyFiles versions prior to SMR Jan-2024 Release 1 in Android 11 and Android 12 MyFiles version 14.5.00.21 in Android 13 **Description** A path traversal vulnerability in the ZipCompressor of MyFiles allows local attackers to write arbitrary files. This issue affects MyFiles in Android 11, Android 12, and a specific version in Android 13. **Recommendations** For MyFiles versions prior to SMR Jan-2024 Release 1 in Android 11 and Android 12, update to a version that includes the SMR Jan-2024 Release 1 or later. For MyFiles version 14.5.00.21 in Android 13, update to a version later than 14.5.00.21. As a temporary workaround, consider restricting access to the ZipCompressor component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux Mint Xreader (affected versions not specified) **Description** This issue allows remote attackers to execute arbitrary code on affected installations of Linux Mint Xreader. User interaction is required to exploit this issue, where the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CBT files, resulting from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this issue to execute code in the context of the current user. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** cpio (affected versions not specified) **Description** A path traversal vulnerability was found in the CPIO utility. This issue could allow a remote unauthenticated attacker to trick a user into opening a specially crafted archive. During the extraction process, the archiver could follow symlinks outside of the intended directory, which allows files to be written in arbitrary directories through symlinks. The vulnerability is related to incorrect link resolution before accessing a file, which may enable an attacker to execute arbitrary commands. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux Mint Xreader (affected versions not specified) **Description** The issue involves a directory traversal flaw in the parsing of EPUB and CBT files within Linux Mint Xreader. This allows remote attackers to potentially execute arbitrary code on affected systems. User interaction is required, specifically, the user must open a malicious EPUB or CBT file or visit a malicious page. The flaw stems from insufficient validation of user-supplied paths before they are used in file operations. An attacker can exploit this to execute code within the context of the current user. Recent reports indicate campaigns exploiting this issue using directory traversal and fileless Python payloads. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MantisBT versions prior to 2.25.5 **Description** The issue allows remote attackers to attach crafted SVG documents to issue reports or bugnotes. When a user or an admin clicks on the attachment, file download.php opens the SVG document in a browser tab instead of downloading it as a file, causing the JavaScript code to execute. **Recommendations** For versions prior to 2.25.5, update to version 2.25.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the file download.php endpoint to minimize the risk of exploitation. Avoid opening attachments from untrusted sources until the issue is resolved.