Jane Smith

**Name of the Vulnerable Software and Affected Versions:** Juniper Networks Junos OS on SRX Series versions prior to 21.4R3-S9 Juniper Networks Junos OS on SRX Series versions 22.2 through 22.2R3-S5 Juniper Networks Junos OS on SRX Series versions 22.4 through 22.4R3-S5 Juniper Networks Junos OS on SRX Series versions 23.2 through 23.2R2-S3 Juniper Networks Junos OS on SRX Series versions 23.4 through 23.4R2-S5 Juniper Networks Junos OS on SRX Series versions 24.2 through 24.2R2 **Description:** An incorrect authorization vulnerability exists in the web server of Juniper Networks Junos OS on SRX Series. This allows an unauthenticated, network-based attacker to access the Juniper Web Device Manager (J-Web). The issue occurs when Juniper Secure connect (JSC) is enabled on specific interfaces, or multiple interfaces are configured for J-Web, making the J-Web UI reachable over more than the intended interfaces. **Recommendations:** Update to Junos OS version 21.4R3-S9 or later. Update to Junos OS version 22.2R3-S5 or later. Update to Junos OS version 22.4R3-S5 or later. Update to Junos OS version 23.2R2-S3 or later. Update to Junos OS version 23.4R2-S5 or later. Update to Junos OS version 24.2R2 or later.

Name of the Vulnerable Software and Affected Versions: MediaWiki - MsUpload extension versions 1.39.X through 1.39.12 MediaWiki - MsUpload extension versions 1.42.X through 1.42.6 MediaWiki - MsUpload extension versions 1.43.X through 1.43.1 Description: The MsUpload extension for MediaWiki is vulnerable to stored XSS via the `msu-continue` system message, which is inserted into the DOM without proper sanitization. This issue occurs in the file upload UI when the same filename is uploaded twice. Recommendations: For MediaWiki - MsUpload extension versions 1.39.X through 1.39.12, update to version 1.39.13 or later. For MediaWiki - MsUpload extension versions 1.42.X through 1.42.6, update to version 1.42.7 or later. For MediaWiki - MsUpload extension versions 1.43.X through 1.43.1, update to version 1.43.2 or later.

**Name of the Vulnerable Software and Affected Versions** HPE Networking Instant On Access Points versions 3.2.0 and earlier HPE Aruba Instant On Access Points versions 3.2.0.1 and earlier Aruba Instant On APs versions 3.2.0 and earlier **Description** HPE Networking and Aruba Instant On Access Points are affected by hard-coded login credentials. Exploitation of this issue allows attackers to bypass normal device authentication and gain administrative access to the system remotely. The vulnerability could potentially allow a full system takeover if chained with a second, unspecified bug. **Recommendations** HPE Networking Instant On Access Points versions 3.2.0 and earlier: Upgrade firmware to version 3.2.1.0 or later. HPE Aruba Instant On Access Points versions 3.2.0.1 and earlier: Upgrade firmware to version 3.2.1.0 or later. Aruba Instant On APs versions 3.2.0 and earlier: Upgrade firmware to version 3.2.1.0 or later.

Name of the Vulnerable Software and Affected Versions: educoder challenges version 1.0 Description: The issue is related to insufficient security mechanisms for created containers, allowing attackers to execute arbitrary code by injecting crafted content into a container. Recommendations: For educoder challenges version 1.0, consider restricting the ability to inject content into containers as a temporary mitigation measure until a more comprehensive fix is available.

**Name of the Vulnerable Software and Affected Versions** Veeam Backup & Replication versions prior to 12.3.2.3617 **Description** A critical remote code execution (RCE) vulnerability allows authenticated domain users to execute code on the Backup Server. This vulnerability affects Veeam Backup & Replication software, specifically impacting backup servers that are joined to a Windows domain. The estimated number of potentially affected devices worldwide is not explicitly stated, but it is mentioned that over 550,000 clients use Veeam's solutions, including 82% of Fortune 500 companies and 74% of Global 2000 firms. There have been real-world incidents where this issue was exploited, with attackers targeting Veeam Backup & Replication servers. **Recommendations** To resolve the issue, update Veeam Backup & Replication to version 12.3.2.3617 or later. As a temporary workaround, consider restricting access to the Backup Server to minimize the risk of exploitation. Additionally, follow isolation best practices to reduce the attack surface.

Name of the Vulnerable Software and Affected Versions: Comodo Internet Security Premium version 12.3.4.8162 Description: A critical vulnerability was found in the File Name Handler component, where the manipulation of the `name/folder` argument leads to path traversal. The attack can be launched remotely, with a rather high complexity and difficult exploitability. The exploit has been disclosed to the public and may be used. The vendor was contacted about this disclosure but did not respond. Recommendations: For Comodo Internet Security Premium version 12.3.4.8162, as a temporary workaround, consider restricting access to the File Name Handler component until a patch is available. Avoid using the `name/folder` argument in the affected component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BOINC Server versions prior to 1.4.3 **Description** The issue is related to a Cross-Site Request Forgery (CSRF) problem. This allows for Cross-Site Request Forgery. **Recommendations** For versions prior to 1.4.3, update to version 1.4.3 or later to resolve the issue. As a temporary workaround, consider implementing additional validation for requests to prevent unauthorized actions. Restrict access to sensitive operations to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** HPE StoreOnce Software (affected versions not specified) **Description** A command injection remote code execution issue exists. This allows for potential code execution on affected systems. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.