Javor Ninov

**Name of the Vulnerable Software and Affected Versions** Big Webmaster Guestbook Script versions 1.02 and earlier **Description** The issue allows remote attackers to inject arbitrary web script or HTML via several fields, including the `mail`, `site`, `city`, `state`, `country`, and possibly the `name` fields, which are viewed via the "viewguest.cgi" endpoint. This can be exploited by attackers to inject malicious scripts. **Recommendations** For Big Webmaster Guestbook Script versions 1.02 and earlier, consider restricting input for the `mail`, `site`, `city`, `state`, `country`, and `name` fields in the "addguest.cgi" script to prevent arbitrary web script or HTML injection until a patch is available. As a temporary workaround, restrict access to the "viewguest.cgi" endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** CAPI4HylaFAX version 1.3 **Description** The issue allows local users to modify arbitrary files via a symlink attack on the c2faxrecv dbgdatafile.sff temporary file when CAPI4HylaFAX is compiled with GENERATE DEBUGSFFDATAFILE set. **Recommendations** For CAPI4HylaFAX version 1.3, as a temporary workaround, consider disabling the compilation with GENERATE DEBUGSFFDATAFILE set until a patch is available. Restrict access to the temporary file c2faxrecv dbgdatafile.sff to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Mozilla Thunderbird version 1.5 **Description** The issue allows user-assisted attackers to cause a denial of service by tricking the user into importing an LDIF file with a long field into the address book. This can be demonstrated by a long `homePhone` field. **Recommendations** For Mozilla Thunderbird version 1.5, avoid importing LDIF files with long fields into the address book until a fix is available. As a temporary workaround, consider restricting the import of LDIF files or limiting the length of fields that can be imported into the address book.