Josh

**Name of the Vulnerable Software and Affected Versions** Cloudflare WARP iOS mobile client (affected versions not specified) **Description** The issue allowed users to bypass the Lock WARP switch feature on the WARP iOS mobile client. This was possible by enabling both "Disable for cellular networks" and "Disable for Wi-Fi networks" switches simultaneously in the application settings, causing the WARP client to disconnect. As a result, users could bypass restrictions and policies enforced by the Zero Trust platform. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WARP iOS client (affected versions not specified) **Description** The Lock Warp switch feature in the Zero Trust platform can be bypassed due to insufficient policy verification by the WARP iOS client. This bypass can be achieved by using the "Disable WARP" quick action, allowing users of enrolled devices to disable the WARP client even when the Lock Warp switch is enabled. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cloudflare WARP mobile client (affected versions not specified) **Description** The issue allowed a user to delete a VPN profile from the WARP mobile client on the iOS platform, despite the Lock WARP switch feature being enabled on the Zero Trust Platform. This led to bypassing policies and restrictions enforced for enrolled devices by the Zero Trust platform. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WARP (affected versions not specified) **Description** The issue allows a user to disconnect the WARP client and bypass the "Lock WARP switch" feature by using the warp-cli command "add-trusted-ssid". This results in Zero Trust policies not being enforced on an affected endpoint. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** woocommerce-gutenberg-products-block versions 2.5.0 through 2.5.15 **Description** An SQL injection issue affects WooCommerce sites running the WooCommerce Blocks feature plugin. This can be exploited via a carefully crafted URL against the "wc/store/products/collection-data?calculate attribute counts[][taxonomy]" endpoint, allowing the execution of a read-only SQL query. **Recommendations** For versions 2.5.0 through 2.5.15, upgrade to version 2.5.16 or later to resolve the issue. As a temporary workaround, consider restricting access to the "wc/store/products/collection-data?calculate attribute counts[][taxonomy]" endpoint until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** WooCommerce versions 3.3.0 through 3.3.5 **Description** An SQL injection issue affects WooCommerce sites running the plugin between versions 3.3.0 and 3.3.5. Malicious actors with admin access or API keys can exploit vulnerable endpoints such as "/wp-json/wc/v3/webhooks" and "/wp-json/wc/v2/webhooks". By carefully crafting the `search` parameter, information can be disclosed using timing and related attacks, although data will not be returned directly. **Recommendations** For versions 3.3.0 through 3.3.5, upgrade to version 3.3.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable endpoints "/wp-json/wc/v3/webhooks" and "/wp-json/wc/v2/webhooks" to minimize the risk of exploitation. Avoid using the `search` parameter in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Horde Gollem versions prior to 1.1.2 **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the `file` parameter in a "view file" action. **Recommendations** For versions prior to 1.1.2, update to version 1.1.2 or later to resolve the issue.