Jim

**Name of the Vulnerable Software and Affected Versions** Microsoft Office versions prior to the fixed version Microsoft Office 2016 Microsoft Office 2019 Microsoft Office LTSC 2021 Microsoft 365 Apps for Enterprise **Description** A spoofing vulnerability in Microsoft Office allows attackers to affect the system. The vulnerability is related to insufficient protection of service data and can be exploited by an attacker to steal NTLM hashes. This can be done by guiding the victim to a website or opening a specially crafted file. The vulnerability affects various versions of Microsoft Office, including Office 2016, Office 2019, Office LTSC 2021, and Microsoft 365 Apps for Enterprise. **Recommendations** For Microsoft Office 2016, update to a newer version that contains a fix for this vulnerability. For Microsoft Office 2019, update to a newer version that contains a fix for this vulnerability. For Microsoft Office LTSC 2021, update to a newer version that contains a fix for this vulnerability. For Microsoft 365 Apps for Enterprise, update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider blocking NTLM traffic to minimize the risk of exploitation. Restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using the parameter `user id` in the affected API endpoint until the issue is resolved. Configure the Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers policy setting to block outgoing NTLM traffic from a computer running Windows Server 2008, Windows Server 2008 R2, or later to any remote server running the Windows operating system.

**Name of the Vulnerable Software and Affected Versions** phpArcadeScript versions 2.0 and earlier **Description** The issue allows remote attackers to inject arbitrary web script or HTML via several parameters, including `gamename` in "tellafriend.php", `login status` in "loginbox.php", `submissionstatus` in "index.php", `cell title background color` and `browse cat name` in "browse.php", and `gamefile` in "displaygame.php". This could potentially affect a large number of devices worldwide, although the exact number is not specified. There is no information provided about real-world incidents where this issue was exploited. **Recommendations** For phpArcadeScript versions 2.0 and earlier, consider disabling the affected parameters, such as `gamename`, `login status`, `submissionstatus`, `cell title background color`, `browse cat name`, and `gamefile`, until a patch is available. Restrict access to the vulnerable PHP scripts, including "tellafriend.php", "loginbox.php", "index.php", "browse.php", and "displaygame.php", to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.