Johannes Moritz

**Name of the Vulnerable Software and Affected Versions** Odoo Community versions 15.0 and earlier Odoo Enterprise versions 15.0 and earlier **Description** The issue allows remote attackers to inject arbitrary web script in the browser of a victim via crafted uploaded file names. This is a cross-site scripting (XSS) issue. **Recommendations** For Odoo Community versions 15.0 and earlier, update to a version later than 15.0 to resolve the issue. For Odoo Enterprise versions 15.0 and earlier, update to a version later than 15.0 to resolve the issue. As a temporary workaround, consider restricting the upload of files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** xfce4-settings versions 4.16.3 and earlier, 4.17.x before 4.17.1 **Description** There is an argument injection issue in the xfce4-mime-helper from the xfce4-settings package. This issue allows for argument injection, which can potentially be exploited. **Recommendations** For versions 4.16.3 and earlier, update to version 4.16.4 or later. For versions 4.17.x before 4.17.1, update to version 4.17.1 or later.

**Name of the Vulnerable Software and Affected Versions** DSpace versions prior to 5.11 DSpace versions prior to 6.4 **Description** The JSPUI resumable upload implementations in SubmissionController and FileUploadRequest are vulnerable to multiple path traversal attacks, allowing an attacker to create files/directories anywhere on the server writable by the Tomcat/DSpace user, by modifying some request parameters during submission. This path traversal can only be executed by a user with special privileges (submitter rights). This vulnerability only impacts the JSPUI. The user must first have submitter privileges to at least one Collection and be able to determine how to modify the request parameters to exploit the vulnerability. **Recommendations** For DSpace 5.x, upgrade to version 5.11 or apply the patch file manually. For DSpace 6.x, upgrade to version 6.4 or apply the patch file manually. To apply the patch, download the appropriate patch file, apply it from the [dspace-src] folder using `git apply [name-of-file].patch`, rebuild DSpace using `mvn -U clean package`, redeploy DSpace using `ant update`, and restart Tomcat.

**Name of the Vulnerable Software and Affected Versions** DSpace versions prior to 5.11 DSpace versions prior to 6.4 **Description** The JSPUI controlled vocabulary servlet in DSpace is vulnerable to an open redirect attack. An attacker can craft a malicious URL that looks like a legitimate DSpace/repository URL, which redirects the target to a site of the attacker's choice when clicked. This issue does not impact the XMLUI or 7.x versions. **Recommendations** For DSpace 5.x versions: Upgrade to version 5.11 or apply the patch file from https://github.com/DSpace/DSpace/commit/5f72424a478f59061dcc516b866dcc687bc3f9de.patch and follow the instructions to manually apply the patch. For DSpace 6.x versions: Upgrade to version 6.4 or apply the patch file from https://github.com/DSpace/DSpace/commit/f7758457b7ec3489d525e39aa753cc70809d9ad9.patch and follow the instructions to manually apply the patch. In general, if an immediate upgrade is not possible, manually applying the provided patches is recommended.

**Name of the Vulnerable Software and Affected Versions** DSpace versions prior to 5.11 DSpace versions prior to 6.4 **Description** The ItemImportServiceImpl in DSpace is vulnerable to a path traversal vulnerability, allowing a malicious SAF package to create files or directories anywhere the Tomcat/DSpace user can write to on the server. This vulnerability is only possible by a user with special privileges, such as Administrators or those with command-line access to the server. It impacts the XMLUI, JSPUI, and command-line. Users can block access to specific URL paths as a basic workaround: `/admin/batchimport` for XMLUI and `/dspace-admin/batchimport` for JSPUI, considering the site's path usage. **Recommendations** Upgrade to DSpace version 5.11 or later for DSpace 5.x Upgrade to DSpace version 6.4 or later for DSpace 6.x As a temporary workaround, block all access to the following URL paths: If using XMLUI, block access to `/admin/batchimport` path If using JSPUI, block access to `/dspace-admin/batchimport` path Manually apply the patch files provided for DSpace 5.x and 6.x if an immediate upgrade is not possible.

Name of the Vulnerable Software and Affected Versions: Tapestry version 5.4.1 Description: The issue affects Tapestry, with general information about the problem available. No estimated number of potentially affected devices worldwide or details about real-world incidents where this issue was exploited are provided. Recommendations: For Tapestry version 5.4.1, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Moodle (affected versions not specified) **Description** A remote code execution risk was identified in the Shibboleth authentication plugin of Moodle. The issue is related to incorrect code generation management. An attacker can exploit this issue by sending a specially crafted request, allowing them to execute arbitrary code remotely. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** moodle versions prior to 3.5.2 moodle versions prior to 3.4.5 moodle versions prior to 3.3.8 moodle versions prior to 3.1.14 **Description** The issue allows for intentional remote code execution when importing legacy 'drag and drop into text' (ddwtos) type quiz questions. This could lead to the injection and execution of PHP code from within the imported questions, either intentionally or by importing questions from an untrusted source. **Recommendations** For versions prior to 3.5.2, update to version 3.5.2 or later. For versions prior to 3.4.5, update to version 3.4.5 or later. For versions prior to 3.3.8, update to version 3.3.8 or later. For versions prior to 3.1.14, update to version 3.1.14 or later.