Hiroshi Tokumaru

**Name of the Vulnerable Software and Affected Versions** cgi gem versions 0.1.0.0 through 0.1.0.1 cgi gem versions 0.2.0 through 0.2.1 cgi gem versions 0.3.0 through 0.3.4 **Description** The issue is related to HTTP response splitting, which occurs when untrusted user input is inserted into an HTTP response header. This allows an attacker to inject malicious content, potentially leading to access to confidential data, disruption of data integrity, and denial of service. The vulnerability is relevant to applications that use the cgi gem to generate HTTP responses or create CGI::Cookie objects based on user input. **Recommendations** For cgi gem version 0.1.0.0 through 0.1.0.1, update to version 0.1.0.2 or later. For cgi gem version 0.2.0 through 0.2.1, update to version 0.2.2 or later. For cgi gem version 0.3.0 through 0.3.4, update to version 0.3.5 or later. As a temporary workaround, consider validating and sanitizing user input before inserting it into HTTP response headers or CGI::Cookie objects to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Zend Framework versions prior to 1.12.20 **Description** The issue concerns the order and group methods in Zend Db Select, which might allow remote attackers to conduct SQL injection attacks. This is due to the failure to remove comments from an SQL statement before validation. **Recommendations** For versions prior to 1.12.20, update to version 1.12.20 or later to resolve the issue. As a temporary workaround, consider validating and sanitizing user input to minimize the risk of SQL injection attacks. Restrict access to the Zend Db Select component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Amazon.com Kindle application versions prior to 4.5.0 **Description** The issue concerns the failure to verify X.509 certificates from SSL servers, allowing man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. **Recommendations** For versions prior to 4.5.0, update to version 4.5.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** SENCHA SNS versions prior to 1.0.2 **Description** A cross-site request forgery issue allows remote attackers to hijack the authentication of arbitrary users. **Recommendations** For versions prior to 1.0.2, update to version 1.0.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** SENCHA SNS versions prior to 1.0.2 **Description** The issue allows remote attackers to hijack web sessions. The exact vectors used for the attack are not specified. **Recommendations** For versions prior to 1.0.2, update to version 1.0.2 or later to resolve the issue.