Krastanoel

**Name of the Vulnerable Software and Affected Versions** ZoneMinder versions prior to 1.36.13 **Description** The issue is related to incorrect restriction of a directory path with limited access in ZoneMinder, a video surveillance software. This can be exploited by a remote attacker to execute arbitrary code by sending a specially crafted file to the server. The vulnerability can be exploited via an invalid language, which contributes to its exploitability. **Recommendations** For versions prior to 1.36.13, update to version 1.36.13 or later to resolve the issue. As a temporary workaround, consider restricting access to the language settings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** eLabFTW versions prior to 4.1.0 **Description** The issue allows attackers to bypass a brute-force protection mechanism by using many different forged `PHPSESSID` values in the HTTP Cookie header. This has been addressed by implementing brute force login protection, as recommended by Owasp with Device Cookies, which will effectively thwart any brute-force attempts at guessing passwords. **Recommendations** For versions prior to 4.1.0, the only correct way to address this is to upgrade to version 4.1.0. Adding rate limitation upstream of the eLabFTW service is a valid option, with or without upgrading.