K3Ppf0R

**Name of the Vulnerable Software and Affected Versions** Bento4 version 1.6.0-641 **Description** An issue in Bento4 allows an attacker to trigger a segmentation fault via Ap4Atom.cpp, specifically in `AP4 AtomParent::RemoveChild`, during the execution of `mp4encrypt` with a specially crafted MP4 input file. **Recommendations** For Bento4 version 1.6.0-641, as a temporary workaround, consider disabling the `AP4 AtomParent::RemoveChild` function until a patch is available. Restrict access to the `Ap4Atom.cpp` module to minimize the risk of exploitation. Avoid using specially crafted MP4 input files in the affected `mp4encrypt` function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Bento4 version 1.6.0-641 **Description** A buffer overflow issue in Bento4 allows a local attacker to execute arbitrary code via the `AP4 Stz2Atom::AP4 Stz2Atom` component located in `Ap4Stz2Atom.cpp`. This enables local arbitrary code execution. **Recommendations** For Bento4 version 1.6.0-641, consider disabling the `AP4 Stz2Atom::AP4 Stz2Atom` component as a temporary workaround until a patch is available. Restrict access to the `Ap4Stz2Atom.cpp` file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Bento4 version 1.6.0-641 **Description** A buffer overflow issue allows a local attacker to execute arbitrary code via the Ap4RtpAtom.cpp, specifically in AP4 RtpAtom::AP4 RtpAtom, during the execution of mp4fragment with a crafted MP4 input file. **Recommendations** For Bento4 version 1.6.0-641, consider disabling the `AP4 RtpAtom::AP4 RtpAtom` function until a patch is available to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Bento4 version 1.6.0-641 **Description** An issue in Bento4 allows an attacker to obtain sensitive information via the Mp4Fragment.cpp and in AP4 DescriptorFactory::CreateDescriptorFromStream at Ap4DescriptorFactory.cpp. **Recommendations** For Bento4 version 1.6.0-641, as a temporary workaround, consider restricting access to the `Mp4Fragment.cpp` and `AP4 DescriptorFactory::CreateDescriptorFromStream` function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Bento4 version 1.6.0-641 **Description** An issue in Bento4 allows an attacker to cause a memory leak via Ap4Marlin.cpp and Ap4Processor.cpp, specifically in `AP4 MarlinIpmpEncryptingProcessor::Initialize` and `AP4 Processor::Process`, during the execution of mp4encrypt with a specially crafted MP4 input file. **Recommendations** As a temporary workaround, consider disabling the `AP4 MarlinIpmpEncryptingProcessor::Initialize` and `AP4 Processor::Process` functions until a patch is available. Restrict access to the vulnerable modules `Ap4Marlin.cpp` and `Ap4Processor.cpp` to minimize the risk of exploitation. Avoid using the mp4encrypt function with specially crafted MP4 input files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Bento4 version 1.6.0-641 **Description** An issue in Bento4 allows an attacker to obtain sensitive information via the mp4fragment tool when processing invalid files. Specifically, memory allocated in `SampleArray::SampleArray` in `Mp4Fragment.cpp` is not properly released. **Recommendations** For Bento4 version 1.6.0-641, consider disabling the `mp4fragment` tool until a patch is available to prevent potential exploitation. Additionally, restrict access to the `Mp4Fragment.cpp` module to minimize the risk of sensitive information disclosure. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** 14Finger version 1.1 **Description** The issue allows for arbitrary user deletion through the "/api/admin/user?id" API endpoint. This endpoint is used for administrative purposes, and the vulnerability could be exploited to delete users without proper authorization. **Recommendations** For version 1.1, consider disabling access to the "/api/admin/user?id" API endpoint until a patch is available to prevent exploitation. Restricting the use of the `id` parameter in this endpoint can also help minimize the risk.

**Name of the Vulnerable Software and Affected Versions** 14Finger version 1.1 **Description** Insecure permissions in the software allow attackers to escalate privileges from a normal user to Administrator via a crafted POST request. This issue can be exploited by sending a manipulated POST request to gain elevated access. **Recommendations** For version 1.1, consider restricting access to the software until a patch is available, and avoid using the software for sensitive operations. As a temporary workaround, restrict the privileges of the user account used to run the software to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** 14Finger version 1.1 **Description** The issue is related to a remote command execution (RCE) vulnerability in the fingerprint function. This vulnerability allows attackers to execute arbitrary commands via a crafted payload. **Recommendations** For version 1.1, consider disabling the fingerprint function until a patch is available to prevent exploitation of the RCE vulnerability. Restrict access to the fingerprint function to minimize the risk of arbitrary command execution. Avoid using crafted payloads in the fingerprint function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** 14Finger version 1.1 **Description** The issue is related to insecure permissions in the component "/api/admin/user" that allows attackers to access all user information via a crafted GET request. **Recommendations** For 14Finger version 1.1, consider restricting access to the "/api/admin/user" endpoint until a patch is available. As a temporary workaround, limit the information that can be retrieved via GET requests to this endpoint to minimize the risk of exploitation.