Matt Austin

**Name of the Vulnerable Software and Affected Versions** Zulip Desktop versions prior to 5.0.0 **Description** The issue allows attackers to perform recording via the webcam and microphone due to a missing permission request handler. **Recommendations** For versions prior to 5.0.0, update to version 5.0.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Zulip Desktop versions prior to 5.0.0 **Description** The issue is related to the improper use of `shell.openExternal` and `shell.openItem` with untrusted content, leading to remote code execution. **Recommendations** For versions prior to 5.0.0, update to version 5.0.0 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Microsoft Teams (affected versions not specified) Description: The issue is related to incorrect code generation management in Microsoft Teams. It allows a remote attacker to execute arbitrary code. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenMRS htmlformentry module versions prior to 3.11.0 **Description** A remote code execution issue was discovered, allowing a malicious Velocity Template Language file to be written to a directory through path traversal. This file could then be accessed and executed. **Recommendations** For versions prior to 3.11.0, update to version 3.11.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the Velocity Template Language files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Zulip Server versions prior to 2.1.3 **Description** The issue allows for XSS via the modal link feature in the Markdown functionality. **Recommendations** For versions prior to 2.1.3, update to version 2.1.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Zulip Desktop versions 2.3.82 through 4.0.2 **Description** The issue allows for the loading of untrusted content in an Electron webview with web security disabled, which can be exploited for XSS in several ways. **Recommendations** For Zulip Desktop versions 2.3.82 through 4.0.2, update to version 4.0.3 or later to resolve the issue. As a temporary workaround, consider disabling the Electron webview until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Yammer Desktop App (affected versions not specified) **Description** A remote code execution issue exists due to the loading of arbitrary content. This allows for potential exploitation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GitHub Electron versions 1.7.15 through 1.7.15 GitHub Electron versions 1.8.7 through 1.8.7 GitHub Electron versions 2.0.7 through 2.0.7 GitHub Electron versions 3.0.0-beta.6 through 3.0.0-beta.6 **Description** The issue is caused by errors in access control and can be leveraged to perform remote code execution. In certain scenarios involving IFRAME elements and `nativeWindowOpen: true` or `sandbox: true` options, the vulnerability can be exploited. This can allow a remote attacker to execute arbitrary code using a specially crafted iframe element. **Recommendations** Upgrade to version 1.7.16 or later for GitHub Electron version 1.7.15. Upgrade to version 1.8.8 or later for GitHub Electron version 1.8.7. Upgrade to version 2.0.8 or later for GitHub Electron version 2.0.7. Upgrade to version 3.0.0-beta.7 or later for GitHub Electron version 3.0.0-beta.6.

Name of the Vulnerable Software and Affected Versions: static-eval versions prior to 2.0.0 Description: The issue allows untrusted user input to access the global function constructor, effectively enabling arbitrary code execution. This occurs because affected versions of the static-eval module pass user input directly to the global function constructor when parsing expressions via the package. Recommendations: Update to version 2.0.0 or later.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 21.0.1180.57 on Mac OS X and Linux, Google Chrome versions prior to 21.0.1180.60 on Windows and Chrome Frame **Description** The issue allows user-assisted remote attackers to cause a denial of service due to resource consumption via a crafted web site, as it does not request user confirmation before continuing a large series of downloads. **Recommendations** For Google Chrome versions prior to 21.0.1180.57 on Mac OS X and Linux, update to version 21.0.1180.57 or later. For Google Chrome versions prior to 21.0.1180.60 on Windows and Chrome Frame, update to version 21.0.1180.60 or later.