Icare

**Name of the Vulnerable Software and Affected Versions** Kiteworks versions prior to 9.3.0 **Description** Kiteworks is a private data network (PDN). Multiple SQL Injection vulnerabilities in Kiteworks Secure Data Forms allow an authenticated attacker with the FormBuilder role to retrieve information on or modify other users' form definitions and certain global configuration parameters. SQL Injection is a type of flaw that allows an attacker to interfere with the queries that an application makes to its database. **Recommendations** Upgrade to version 9.3.0 or later.

**Name of the Vulnerable Software and Affected Versions** Kiteworks versions prior to 9.3.0 **Description** Kiteworks is a private data network (PDN). A reflected Cross-Site Scripting (XSS) issue in Kiteworks Secure Data Forms allows an external attacker to trick a user into executing arbitrary JavaScript code. **Recommendations** Upgrade to version 9.3.0 or later.

**Name of the Vulnerable Software and Affected Versions** Kiteworks versions prior to 9.3.0 **Description** A reflected Cross-Site Scripting (XSS) issue in Kiteworks Secure Data Forms allows an external attacker to trick a user into executing arbitrary JavaScript code. Cross-Site Scripting is a flaw where malicious scripts are injected into otherwise trusted websites. **Recommendations** Update to version 9.3.0 or later.

**Name of the Vulnerable Software and Affected Versions** Jenkins LDAP Plugin versions prior to 807.v7d7de30930cf **Description** The plugin deserializes data from LDAP referrals without proper validation. Deserialization is the process of converting a data stream back into an object, which, when performed on untrusted data without validation, can lead to security compromises. **Recommendations** Update to a version later than 807.v7d7de30930cf.

**Name of the Vulnerable Software and Affected Versions** Sonatype Nexus Repository Manager versions 3.0.0 through 3.91.1 **Description** An authenticated administrator configuring or testing LDAP connectivity may initiate unintended server-side connections when interacting with a malicious LDAP server. **Recommendations** Update Sonatype Nexus Repository Manager to a version later than 3.91.1.

Name of the Vulnerable Software and Affected Versions Kiteworks versions prior to 9.2.0 Description Kiteworks is a private data network (PDN). Prior to version 9.2.0, a flaw in the configuration functionality allows bypassing of Server-Side Request Forgery (SSRF) protections through DNS rebinding attacks. Malicious administrators could exploit this to access restricted internal services. Recommendations Update to version 9.2.0 or later.

Name of the Vulnerable Software and Affected Versions Kiteworks versions prior to 9.2.0 Description Kiteworks is a private data network (PDN). A configuration issue allows the upload of arbitrary files without proper validation. Malicious administrators could exploit this to upload unauthorized file types to the system. Recommendations Update to version 9.2.0 or later.

Name of the Vulnerable Software and Affected Versions Kiteworks versions prior to 9.2.0 Description Kiteworks is a private data network (PDN). Prior to version 9.2.0, a flaw in the command execution functionality allows authenticated users to redirect command output to arbitrary file locations. This could be exploited to overwrite critical system files and gain elevated access. Recommendations Update to version 9.2.0 or later.

**Name of the Vulnerable Software and Affected Versions** LibreOffice (affected versions not specified) **Description** The issue is related to insufficient validation of requests on the server side, allowing attackers to access the file system using specially crafted ODT documents. This could enable the discovery of restricted network topology and services, as well as the inclusion of local files with read permissions of the open-xchange system user. The vulnerability is limited to specific file types, such as images. Improved content filters and validators have been implemented to prevent the inclusion of local resources. No publicly available exploits are known. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.