Joseph

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A memory leak occurs in the ext4 file system within the `ext4 fc replay inode()` function. The function calls `ext4 get fc inode loc()` to obtain the inode location, which creates a reference to `iloc.bh` that requires release via `brelse()`. However, certain error paths—specifically failures in `ext4 handle dirty metadata()`, `sync dirty buffer()`, `ext4 mark inode used()`, and `ext4 iget()`—jump to the exit label without releasing `iloc.bh`. Additionally, the `ext4 fc replay inode()` function fails to propagate errors correctly, returning 0 regardless of the outcome. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PHP Toolkit versions prior to 1.0.1 **Description** The issue is related to an interpretation conflict in the PHP Toolkit that could allow local users to cause a denial of service and read the contents of PHP scripts. This is achieved by creating a file with a one-letter lowercase alphabetic name, which triggers the interpretation of a certain unquoted `[a-z]` argument as a matching shell glob for this name, rather than as the literal `[a-z]` regular-expression string. As a result, the launch of the PHP interpreter within the Apache HTTP Server is blocked. **Recommendations** For PHP Toolkit versions prior to 1.0.1, update to version 1.0.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** phphelpdesk version 0.6.16 **Description** A SQL injection issue exists in the login page, allowing remote attackers to execute arbitrary SQL commands. This is related to the login procedures, though specific parameters are not specified. **Recommendations** For phphelpdesk version 0.6.16, update to a newer version that contains a fix for this issue, as using outdated software can pose significant security risks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OneOrZero Helpdesk versions 1.6.4.2 through 1.6.5.4 **Description** The issue allows remote attackers to conduct cross-site scripting (XSS) attacks by injecting arbitrary web script or HTML via XSS sequences without SCRIPT tags in the `description` parameter to (1) "tcreate.php" or (2) "tupdate.php". This can be achieved using events such as `onmouseover` in a `b` tag. **Recommendations** For OneOrZero Helpdesk versions 1.6.4.2 through 1.6.5.4, consider disabling the `stripScripts` function in common.php until a patch is available, and restrict access to the "tcreate.php" and "tupdate.php" endpoints to minimize the risk of exploitation. Avoid using the `description` parameter in these endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Minb Is Not a Blog (minb) (affected versions not specified) **Description** The issue allows remote attackers to download a database containing usernames and encrypted passwords via a direct request for 'db/users.db'. This is due to the storage of sensitive information under the web root with insufficient access control. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.