James Kettle

**Name of the Vulnerable Software and Affected Versions** Camaleon CMS versions 2.7.0 through 2.7.3 **Description** The issue is related to a Server-Side Template Injection (SSTI) vulnerability. It occurs via the `formats` parameter. There is no information provided about the estimated number of potentially affected devices worldwide or details about real-world incidents where this issue was exploited. **Recommendations** For Camaleon CMS versions 2.7.0 through 2.7.3, update to version 2.7.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the `formats` parameter until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Cisco Adaptive Security Appliance (ASA) Software (affected versions not specified) Cisco Firepower Threat Defense (FTD) Software (affected versions not specified) **Description** The issue is related to improper validation of input that is passed to the VPN web client services component before being returned to the browser that is in use. This could allow an unauthenticated, remote attacker to conduct browser-based attacks against users of an affected device. An attacker could exploit this by persuading a user to visit a website that is designed to pass malicious requests to a device that is running Cisco ASA Software or Cisco FTD Software and has web services endpoints supporting VPN features enabled. A successful exploit could allow the attacker to reflect malicious input from the affected device to the browser that is in use and conduct browser-based attacks, including cross-site scripting attacks. **Recommendations** For Cisco Adaptive Security Appliance (ASA) Software, consider disabling the Clientless SSL VPN feature until a patch is available. For Cisco Firepower Threat Defense (FTD) Software, restrict access to the VPN web client services component to minimize the risk of exploitation. Avoid using web services endpoints that support VPN features until the issue is resolved. As a temporary workaround, consider configuring the device to validate input more strictly before passing it to the browser. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** The issue involves unauthenticated redirection to a malicious website. There is no information provided about the estimated number of potentially affected devices worldwide or details about real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** HTTP::Daemon versions prior to 6.15 **Description** The issue is related to inconsistent interpretation of HTTP requests when handling `Content-Length` values, potentially allowing a remote attacker to gain privileged access to APIs or poison intermediate caches by sending specially crafted HTTP requests. This could lead to HTTP request smuggling attacks, enabling an attacker to bypass web application firewall protection and conduct XSS attacks. The library is commonly used for local development and tests, and most Perl-based applications are served on top of Nginx or Apache. **Recommendations** For versions prior to 6.15, update to version 6.15 or later to resolve the issue. As a temporary workaround for users unable to upgrade, add additional request handling logic by inspecting the returned `HTTP::Request` object after calling `my $rqst = $conn->get request()`, and querying the `Content-Length` header (`my $cl = $rqst->header('Content-Length')`) to detect any abnormalities that should be dealt with by a `400` response. Expected strings of `Content-Length` should consist of either a single non-negative integer or a comma-separated repetition of that number. Anything else should be rejected.

**Name of the Vulnerable Software and Affected Versions** Varnish Cache versions 6.0.0 through 6.6.1 Varnish Cache 6.0 LTS versions 6.0.0 through 6.0.9 Varnish Cache 7.x versions 7.0.0 through 7.0.1 Varnish Enterprise (Cache Plus) 4.1.x versions 4.1.0 through 4.1.11r5 Varnish Enterprise (Cache Plus) 6.0.x versions 6.0.0 through 6.0.9r3 **Description** Request smuggling can occur for HTTP/1 connections in the affected versions of Varnish Cache and Varnish Enterprise. **Recommendations** For Varnish Cache versions 6.0.0 through 6.6.1, update to version 6.6.2 or later. For Varnish Cache 6.0 LTS versions 6.0.0 through 6.0.9, update to version 6.0.10 or later. For Varnish Cache 7.x versions 7.0.0 through 7.0.1, update to version 7.0.2 or later. For Varnish Enterprise (Cache Plus) 4.1.x versions 4.1.0 through 4.1.11r5, update to version 4.1.11r6 or later. For Varnish Enterprise (Cache Plus) 6.0.x versions 6.0.0 through 6.0.9r3, update to version 6.0.9r4 or later.

Name of the Vulnerable Software and Affected Versions: hyper versions 0.12.0 through 0.13.9 hyper versions 0.14.0 through 0.14.2 Description: The HTTP server code in hyper has a flaw that incorrectly understands some requests with multiple transfer-encoding headers to have a chunked payload, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that understands the request payload boundary differently can result in "request smuggling" or "desync attacks". To determine if vulnerable, all these things must be true: using hyper as an HTTP server, using HTTP/1.1, and using a vulnerable HTTP proxy upstream to hyper. If an upstream proxy correctly rejects the illegal transfer-encoding headers, the desync attack cannot succeed. If there is no proxy upstream of hyper, hyper cannot start the desync attack, as the client will repair the headers before forwarding. Recommendations: For hyper versions 0.12.0 through 0.13.9, update to version 0.13.10 or later. For hyper versions 0.14.0 through 0.14.2, update to version 0.14.3 or later. As a temporary workaround, consider rejecting requests that contain a `transfer-encoding` header. Alternatively, ensure any upstream proxy handles `transfer-encoding` correctly.

**Name of the Vulnerable Software and Affected Versions** Zammad versions 3.0 through 3.2 **Description** A cross-site scripting (XSS) issue was discovered, allowing malicious code to be provided by a low-privileged user through the File Upload functionality. The malicious JavaScript will execute within the browser of any user who opens a specially crafted link to the uploaded file with an active Zammad session. **Recommendations** For Zammad versions 3.0 through 3.2, consider disabling the File Upload functionality until a patch is available to prevent exploitation of this issue. Restrict access to uploaded files to minimize the risk of malicious JavaScript execution.

**Name of the Vulnerable Software and Affected Versions** Symfony versions 2.7.0 through 2.7.48 Symfony versions 2.8.0 through 2.8.43 Symfony versions 3.3.0 through 3.3.17 Symfony versions 3.4.0 through 3.4.13 Symfony versions 4.0.0 through 4.0.13 Symfony versions 4.1.0 through 4.1.2 **Description** The issue arises from the support for a legacy IIS header that allows users to override the path in the request URL via the `X-Original-URL` or `X-Rewrite-URL` HTTP request header. This can be exploited by a remote attacker to impact the integrity of protected data. The vulnerability affects the `SymfonyComponentHttpFoundationRequest::prepareRequestUri()` function, where `X-Original-URL` and `X REWRITE URL` are used. The exploitation of this issue can lead to web cache poisoning. **Recommendations** For Symfony versions 2.7.0 through 2.7.48, update to a version that drops support for the `X-Original-URL` and `X-Rewrite-URL` methods. For Symfony versions 2.8.0 through 2.8.43, update to a version that drops support for the `X-Original-URL` and `X-Rewrite-URL` methods. For Symfony versions 3.3.0 through 3.3.17, update to a version that drops support for the `X-Original-URL` and `X-Rewrite-URL` methods. For Symfony versions 3.4.0 through 3.4.13, update to a version that drops support for the `X-Original-URL` and `X-Rewrite-URL` methods. For Symfony versions 4.0.0 through 4.0.13, update to a version that drops support for the `X-Original-URL` and `X-Rewrite-URL` methods. For Symfony versions 4.1.0 through 4.1.2, update to a version that drops support for the `X-Original-URL` and `X-Rewrite-URL` methods. As a temporary workaround, consider disabling the use of the `X-Original-URL` and `X-Rewrite-URL` headers in the `prepareRequestUri()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** phpBB versions prior to 3.0.13 **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This allows remote attackers to inject arbitrary web script or HTML. The vulnerability is related to "Relative Path Overwrite" in the includes/startup.php file. **Recommendations** For versions prior to 3.0.13, update to version 3.0.13 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Django versions 1.3.x through 1.3.3 Django versions 1.4.x through 1.4.1 **Description** The issue allows remote attackers to generate and display arbitrary URLs via crafted `username` and `password` Host header values in the `django.http.HttpRequest.get host` function. **Recommendations** For Django versions 1.3.x through 1.3.3, update to version 1.3.4 or later. For Django versions 1.4.x through 1.4.1, update to version 1.4.2 or later.

**Name of the Vulnerable Software and Affected Versions** Gallery 3 versions prior to 3.0.4 **Description** The issue allows attackers to execute arbitrary PHP code via unknown vectors. **Recommendations** For versions prior to 3.0.4, update to version 3.0.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Gallery 3 versions prior to 3.0.4 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, which can lead to cross-site scripting (XSS) attacks. **Recommendations** For Gallery 3 versions prior to 3.0.4, update to version 3.0.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Gallery 2 versions prior to 2.3.2 Gallery 3 versions prior to 3.0.3 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities in the administration subsystem. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. **Recommendations** For Gallery 2 versions prior to 2.3.2, update to version 2.3.2 or later. For Gallery 3 versions prior to 3.0.3, update to version 3.0.3 or later.

**Name of the Vulnerable Software and Affected Versions** Bugzilla versions 2.x through 3.4.13 Bugzilla versions 3.5.x through 3.6.7 Bugzilla versions 3.7.x through 4.0.3 Bugzilla versions 4.1.x through 4.2rc1 **Description** The issue allows remote authenticated users to spoof other user accounts by choosing a similar e-mail address, as it does not reject non-ASCII characters in e-mail addresses of new user accounts. **Recommendations** For versions 2.x through 3.4.13, update to version 3.4.14 or later. For versions 3.5.x through 3.6.7, update to version 3.6.8 or later. For versions 3.7.x through 4.0.3, update to version 4.0.4 or later. For versions 4.1.x through 4.2rc1, update to version 4.2rc2 or later.