Frycos

**Name of the Vulnerable Software and Affected Versions** GFI MailEssentials versions prior to 21.8 **Description** The issue is related to an XML External Entity (XXE) problem. An authenticated and remote attacker can send crafted HTTP requests to read arbitrary system files. **Recommendations** For versions prior to 21.8, update to version 21.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the HTTP request functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GFI MailEssentials versions prior to 21.8 **Description** The issue is related to a .NET deserialization problem. A remote and authenticated attacker can execute arbitrary code by sending crafted serialized .NET data when joining a Multi-Server setup. **Recommendations** For GFI MailEssentials versions prior to 21.8, update to version 21.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the Multi-Server setup to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Microsoft Dynamics 365 Business Central (affected versions not specified) **Description** The issue is related to deficiencies in the authentication procedure of Microsoft Dynamics 365 Business Central. Exploitation of this issue may allow a remote attacker to elevate their privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Dynamics 365 Business Central (affected versions not specified) **Description** The issue is related to flaws in the deserialization mechanism of Microsoft Dynamics 365 Business Central, allowing a remote attacker to execute arbitrary code. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Skype for Business Server (affected versions not specified) **Description** The issue is related to a lack of protection for service data in Skype for Business Server, which can be exploited to disclose protected information. This is a privilege escalation issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GFI Kerio Connect versions 9.4.1 patch 1 through 9.4.1 patch 1 **Description** An issue was discovered in the webmail component's 2FASetup function, which is vulnerable to a stack-based Buffer Overflow. This occurs via an authenticated request with a long `primaryEMailAddress` field to the "webmail/api/jsonrpc" URI. **Recommendations** For GFI Kerio Connect version 9.4.1 patch 1, update to version 10.0.0 to resolve the issue. As a temporary workaround, consider restricting access to the webmail component's 2FASetup function until a patch is available. Avoid using long `primaryEMailAddress` fields in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Docmosis Tornado versions prior to 2.9.5 **Description** An issue allows an unauthenticated attacker to bypass the authentication check filter completely by introducing a specially crafted request with relative path segments. **Recommendations** For versions prior to 2.9.5, update to version 2.9.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Docmosis Tornado versions 2.9.4 and earlier **Description** The issue allows for Directory Traversal, which can lead to the disclosure of arbitrary content on the file system. **Recommendations** For versions 2.9.4 and earlier, update to a version later than 2.9.4 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Docmosis Tornado versions prior to 2.9.5 **Description** An issue allows an authenticated attacker to change the Office directory setting to point to an arbitrary remote network path, triggering the execution of the soffice binary under the attacker's control. This leads to arbitrary remote code execution (RCE). **Recommendations** For versions prior to 2.9.5, update to version 2.9.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the Office directory setting to prevent attackers from modifying it.

**Name of the Vulnerable Software and Affected Versions** GFI MailEssentials versions prior to 21.8 **Description** A local privilege escalation issue exists, allowing a local attacker to escalate to NT Authority/SYSTEM by sending a crafted serialized payload to a .NET Remoting Service. **Recommendations** For GFI MailEssentials versions prior to 21.8, update to version 21.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the .NET Remoting Service to minimize the risk of exploitation.