Lebr0Nli

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 152 Firefox ESR versions prior to 140.12 Firefox ESR versions prior to 115.37 Thunderbird versions prior to 152 Thunderbird versions prior to 140.12 **Description** A mitigation bypass exists within the DOM security component. The Document Object Model (DOM) is a programming interface for web documents that represents the page so that programs can change the document structure, style, and content. **Recommendations** Update Firefox to version 152. Update Firefox ESR to version 140.12. Update Firefox ESR to version 115.37. Update Thunderbird to version 152. Update Thunderbird to version 140.12.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 149.0.7827.53 **Description** Insufficient validation of untrusted input in DevTools allows an attacker to bypass navigation restrictions. This occurs when a user is convinced to install a crafted malicious Chrome Extension. **Recommendations** Update to version 149.0.7827.53 or later.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 151 Firefox ESR versions prior to 140.11 Thunderbird versions prior to 151 Thunderbird versions prior to 140.11 **Description** A privilege escalation issue exists within the DOM: Workers component.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 150 Thunderbird versions prior to 150 **Description** A mitigation bypass exists within the DOM Security component. **Recommendations** Update to version 150 for Firefox. Update to version 150 for Thunderbird.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 148.0.7778.96 **Description** Insufficient policy enforcement in DevTools allows an attacker to bypass navigation restrictions. This occurs when a user is convinced to install a malicious Chrome Extension, which can then be used to execute the bypass. **Recommendations** Update to version 148.0.7778.96 or later.

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 147.0.7727.55 Description A policy bypass issue existed in ServiceWorkers within Google Chrome before version 147.0.7727.55. A remote attacker could bypass the content security policy by using a specially crafted HTML page. Recommendations Update Google Chrome to version 147.0.7727.55 or later.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 147.0.7727.55 **Description** A flaw exists in the Google Chrome DevTools web development toolkit's data protection mechanism. Successful exploitation could allow a remote attacker to bypass security restrictions by loading a malicious extension. This could occur if a user is convinced to install a malicious extension. Insufficient policy enforcement in DevTools allowed bypassing enterprise host restrictions for cookie modification via a crafted Chrome Extension. **Recommendations** Update Google Chrome to version 147.0.7727.55 or later.

**Name of the Vulnerable Software and Affected Versions** Video Station versions prior to 5.8.2 **Description** An OS command injection issue has been reported, allowing authenticated users to execute commands via a network. **Recommendations** For versions prior to 5.8.2, update to Video Station 5.8.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Zimbra Collaboration (ZCS) versions 10.1.x through 10.1.0 Zimbra Collaboration (ZCS) versions 10.0.x through 10.0.8 Zimbra Collaboration (ZCS) 9.0.0 before Patch 41 Zimbra Collaboration (ZCS) 8.8.15 before Patch 46 **Description** An issue in Zimbra Collaboration allows authenticated users to exploit Server-Side Request Forgery (SSRF) due to improper input sanitization and misconfigured domain whitelisting. This permits unauthorized HTTP requests to be sent to internal services, potentially leading to Remote Code Execution (RCE) by chaining Command Injection within the internal service. When combined with existing XSS vulnerabilities, this SSRF issue can further facilitate Remote Code Execution (RCE). **Recommendations** For Zimbra Collaboration (ZCS) versions 10.1.x through 10.1.0, update to version 10.1.1 or later. For Zimbra Collaboration (ZCS) versions 10.0.x through 10.0.8, update to version 10.0.9 or later. For Zimbra Collaboration (ZCS) 9.0.0, apply Patch 41 or later. For Zimbra Collaboration (ZCS) 8.8.15, apply Patch 46 or later.

**Name of the Vulnerable Software and Affected Versions** TCBServiSign Windows Version from CHANGING Information Technology (affected versions not specified) **Description** The issue concerns a specific API in TCBServiSign that fails to properly validate the length of server-side input. This can be exploited by unauthenticated remote attackers when a user visits a spoofed website, leading to a stack-based buffer overflow that temporarily disrupts the service of TCBServiSign. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CHANGING Information Technology TCBServiSign Windows Version (affected versions not specified) **Description** The issue is related to the insufficient encryption strength of authorization keys. A remote attacker can exploit this by tricking a victim into visiting a malicious website, which TCBServiSign will then treat as a legitimate server and interact with. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TCBServiSign Windows Version from CHANGING Information Technology (affected versions not specified) **Description** The issue concerns improper validation of server-side input in a specific API. This can be exploited by unauthenticated remote attackers when a user visits a spoofed website, allowing them to modify the `HKEY CURRENT USER` registry and execute arbitrary commands. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TCBServiSign Windows Version from CHANGING Information Technology (affected versions not specified) **Description** The issue concerns improper validation of server-side input in a specific API. This allows unauthenticated remote attackers to cause TCBServiSign to load a DLL from an arbitrary path when a user visits a spoofed website. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** HWATAIServiSign Windows Version from CHANGING Information Technology (affected versions not specified) **Description** The issue arises from improper validation of the length of server-side inputs in a specific API. This can be exploited by unauthenticated remote attackers when a user visits a spoofed website, leading to a stack-based buffer overflow that temporarily disrupts the service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ImageMagick versions prior to 7.11-36 **Description** The issue arises when the `AppImage` version of ImageMagick sets the `MAGICK CONFIGURE PATH` and `LD LIBRARY PATH` environment variables to an empty path during execution. This could potentially lead to arbitrary code execution by loading malicious configuration files or shared libraries in the current working directory. **Recommendations** For versions prior to 7.11-36, update to version 7.11-36 or later to resolve the issue. As a temporary workaround, consider restricting the execution of ImageMagick in untrusted directories to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** QuFirewall versions prior to 2.4.1 **Description** A path traversal vulnerability has been reported to affect QuFirewall. If exploited, the vulnerability could allow authenticated administrators to read the contents of unexpected files and expose sensitive data via a network. **Recommendations** For versions prior to 2.4.1, update to QuFirewall 2.4.1 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive files and directories to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** QuFirewall versions prior to 2.4.1 **Description** A path traversal issue has been reported, allowing authenticated administrators to read the contents of unexpected files and expose sensitive data via a network. **Recommendations** For versions prior to 2.4.1, update to QuFirewall 2.4.1 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive files and directories to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Photo Station versions prior to 6.4.2 **Description** An OS command injection issue has been reported, potentially allowing authenticated users to execute commands via a network. The vulnerability is related to insufficient protection of the web page structure, which could enable a remote attacker to execute arbitrary commands. **Recommendations** For versions prior to 6.4.2, update to Photo Station 6.4.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the Photo Station application until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Photo Station versions prior to 6.4.2 **Description** A cross-site scripting (XSS) vulnerability has been reported to affect Photo Station. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. The issue is related to the lack of protection measures for the web page structure, which could allow a remote attacker to execute arbitrary code. **Recommendations** For versions prior to 6.4.2, update to Photo Station 6.4.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the Photo Station application until the update is applied.

**Name of the Vulnerable Software and Affected Versions** QuMagie versions prior to 2.2.1 **Description** A cross-site scripting (XSS) vulnerability has been reported to affect QuMagie. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. **Recommendations** For versions prior to 2.2.1, update to QuMagie 2.2.1 or later to resolve the issue.