Kim Alvefur

**Name of the Vulnerable Software and Affected Versions** Dino versions prior to 0.2.3 Dino versions 0.3.x prior to 0.3.2 Dino versions 0.4.x prior to 0.4.2 **Description** The issue allows attackers to modify the personal bookmark store via a crafted message. This can lead to changing the display of group chats or forcing a victim to join a group chat, potentially tricking the victim into disclosing sensitive information. When a Dino client receives a specifically crafted message from an unauthorized sender, it would use information from that message to add, update, or remove entries in the user’s personal bookmark store without requiring further user interaction. **Recommendations** For versions prior to 0.2.3, update to version 0.2.3 or later. For versions 0.3.x prior to 0.3.2, update to version 0.3.2 or later. For versions 0.4.x prior to 0.4.2, update to version 0.4.2 or later. As a temporary workaround, consider restricting the handling of crafted messages until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Prosody versions prior to 0.11.9 **Description** The issue is related to incorrect handling of SSL/TLS renegotiation requests, which can lead to uncontrolled CPU consumption. This can be exploited by a remote attacker to cause a denial of service. **Recommendations** For versions prior to 0.11.9, update to version 0.11.9 or later to resolve the issue. As a temporary workaround, consider restricting the number of SSL/TLS renegotiation requests to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Prosody versions 0.9.x through 0.9.8 **Description** The issue allows remote attackers to read arbitrary files via a .. (dot dot) in an unspecified path in the HTTP file-serving module. **Recommendations** For versions 0.9.x through 0.9.8, update to version 0.9.9 or later to resolve the issue.