Jeremy

**Name of the Vulnerable Software and Affected Versions** Anaconda 3 versions 2023.03-1-Linux Miniconda version not specified **Description** The issue allows local users to disrupt TLS certificate validation by modifying the `cacert.pem` file used by the installed pip program. This occurs because many files are installed as world-writable on Linux, ignoring umask, even when these files are installed as root. The estimated number of potentially affected devices is not provided, and there is no information about real-world incidents where this issue was exploited. **Recommendations** For Anaconda 3 version 2023.03-1-Linux, consider restricting write access to the `cacert.pem` file to prevent modification. For Miniconda, at the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider disabling world-writable files in the Miniconda installation directory to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Ruby versions prior to 2.4.0 **Description** The issue allows attackers to inject SMTP commands using CRLF sequences in RCPT TO or MAIL FROM commands. This can be demonstrated by CRLF sequences immediately before and after a DATA substring. **Recommendations** For versions prior to 2.4.0, update to version 2.4.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of CRLF sequences in RCPT TO or MAIL FROM commands to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** mail gem versions prior to 2.5.5 **Description** The issue allows for SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command. This can be demonstrated by CRLF sequences immediately before and after a DATA substring. **Recommendations** For versions prior to 2.5.5, update to version 2.5.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** s2Member Pro plugin versions prior to 111220 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `s2member pro authnet checkout[coupon]` parameter, also known as the Coupon Code field. **Recommendations** For versions prior to 111220, update to version 111220 or later to resolve the issue. As a temporary workaround, consider restricting access to the `s2member pro authnet checkout[coupon]` parameter to minimize the risk of exploitation.