Martin Prpič

**Name of the Vulnerable Software and Affected Versions** ircd-ratbox version 3.0.9 **Description** A Denial of Service issue exists in the MONITOR Command Handler, allowing remote attackers to cause a system out-of-memory event. **Recommendations** For ircd-ratbox version 3.0.9, consider disabling the MONITOR command handler as a temporary workaround until a patch is available.

**Name of the Vulnerable Software and Affected Versions** swagger-ui (affected versions not specified) **Description** The issue is related to Cross-Site Scripting (XSS) in key names. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Pagure (affected versions not specified) **Description** The issue allows for XSS in the file attachment endpoint. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** redis (affected versions not specified) **Description** A permissions flaw was found, which sets weak permissions on certain files and directories that could potentially contain sensitive information. A local, unprivileged user could possibly use this flaw to access unauthorized system information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** URONode versions prior to 1.0.5r3 node version 0.3.2 **Description** The issue allows remote attackers to cause a denial of service, resulting in bandwidth consumption. **Recommendations** For node version 0.3.2, update to a version that contains a fix for this issue. For URONode versions prior to 1.0.5r3, update to version 1.0.5r3 or later.

**Name of the Vulnerable Software and Affected Versions** Salt versions prior to 2014.7.6 **Description** The issue is related to the lack of certificate verification when connecting via certain modules. Specifically, the `aliyun`, `proxmox`, and `splunk` modules do not verify certificates. This could potentially lead to security risks. **Recommendations** For versions prior to 2014.7.6, update to version 2014.7.6 or later to resolve the issue. As a temporary workaround, consider disabling the use of the `aliyun`, `proxmox`, and `splunk` modules until a patch is applied. Restrict access to these modules to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** LXDM versions prior to 0.5.2 **Description** The issue allows local users to bypass authentication with X connections due to the lack of the -auth option when starting the X server. **Recommendations** For versions prior to 0.5.2, update to version 0.5.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** oVirt Engine versions prior to 4.0 **Description** The issue concerns the disclosure of sensitive information, specifically the ENGINE HTTPS PKI TRUST STORE PASSWORD, which is logged in the /var/log/ovirt-engine/engine.log file. This affects oVirt Engine in RHEV before version 4.0. **Recommendations** For versions prior to 4.0, update to version 4.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** xzgrep versions prior to 5.2.0 **Description** The issue allows remote attackers to execute arbitrary code by having a user run xzgrep on a crafted file name, due to improper processing of file names containing semicolons. **Recommendations** For versions prior to 5.2.0, update to version 5.2.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** mock (affected versions not specified) **Description** The issue is related to the scm plug-in in mock, which may allow attackers to bypass the intended chroot protection mechanism and gain root privileges via a crafted spec file. This is due to insufficient access control, potentially enabling a remote attacker to exploit the weakness and obtain superuser privileges using a specially created file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** machinectl (affected versions not specified) **Description** The issue allows local users to list running containers and possibly obtain sensitive information by running the machinectl command in oci-register-machine. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LibTIFF (affected versions not specified) **Description** The issue allows remote attackers to cause a denial of service, resulting in memory consumption and a crash, by using a crafted tiff file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Qt version 4.8.5 **Description** A stack-based buffer overflow issue exists in the QXmlSimpleReader component, allowing remote attackers to cause an application crash by providing a specially crafted XML file containing multiple nested open tags. **Recommendations** For Qt version 4.8.5, consider updating to a newer version that addresses this issue, as using a specially crafted XML file can cause an application crash. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** unrtf version 0.21.9 **Description** The issue is caused by multiple stack-based buffer overflows that allow remote attackers to cause a denial-of-service. This can be achieved by writing a negative integer to the (1) cmd expand function, (2) cmd emboss function, or (3) cmd engrave function. **Recommendations** For unrtf version 0.21.9, as a temporary workaround, consider disabling the cmd expand, cmd emboss, and cmd engrave functions until a patch is available. Restrict access to these functions to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: MCabber versions prior to 1.0.4 Description: The issue allows remote attackers to intercept communications or add themselves as an entity on a third party's roster as another user, garnering associated privileges, via crafted XMPP packets. This is achieved through roster push attacks. Recommendations: For versions prior to 1.0.4, update to version 1.0.4 or later to resolve the issue. As a temporary workaround, consider restricting access to roster management functions until a patch is applied. Avoid using crafted XMPP packets in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** pcsd versions prior to 0.9.149 **Description** The issue is related to a cross-site request forgery (CSRF) vulnerability in the pcsd web UI. This type of vulnerability allows an attacker to trick a user into performing unintended actions on a web application that the user is authenticated to. **Recommendations** For versions prior to 0.9.149, update to version 0.9.149 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** pcsd in pcs versions prior to 0.9.157 **Description** The issue is related to a session fixation problem. No information is provided about the estimated number of potentially affected devices or real-world incidents where this issue was exploited. **Recommendations** For versions prior to 0.9.157, update to version 0.9.157 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Openstack Manila versions prior to 2.5.1 **Description** A cross-site scripting (XSS) issue exists in the Shares overview of Openstack Manila, allowing remote authenticated users to inject arbitrary web script or HTML via the `Metadata` field in the "Create Share" form. **Recommendations** For versions prior to 2.5.1, update to version 2.5.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** MongoDB (affected versions not specified) **Description** The issue concerns the client in MongoDB, where world-readable permissions are used on .dbshell history files. This could allow local users to obtain sensitive information by reading these files. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Red Hat Enterprise Virtualization (RHEV) Engine version 4.0 **Description** The issue allows local users to obtain sensitive database provisioning information. This is achieved by reading log files, specifically those generated by the ovirt-engine-provisiondb utility. **Recommendations** For Red Hat Enterprise Virtualization (RHEV) Engine version 4.0, consider restricting access to log files generated by the ovirt-engine-provisiondb utility to minimize the risk of sensitive information disclosure.