Metin Yunus Kandemir

Name of the Vulnerable Software and Affected Versions: Microsoft Office (affected versions not specified) Microsoft 365 Apps for Enterprise (affected versions not specified) Description: The issue is related to insufficient protection of service data in Microsoft Office and Microsoft 365 Apps for Enterprise, allowing a remote attacker to conduct spoofing attacks. This can affect the system. Recommendations: For Microsoft Office, consider restricting access to sensitive features until a patch is available. For Microsoft 365 Apps for Enterprise, avoid using potentially vulnerable components until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Asp.Net Zero versions prior to 12.3.0 **Description** The issue is related to an open redirect through HTML injection in user messages, allowing remote attackers to redirect targeted victims to any URL via the '<meta http-equiv="refresh">' in the WebSocket messages. This can be exploited by injecting malicious HTML code into user messages, enabling attackers to redirect users to arbitrary URLs. The estimated number of potentially affected devices worldwide is not specified. **Recommendations** For versions prior to 12.3.0, update to version 12.3.0 or later to resolve the issue. As a temporary workaround, consider disabling the use of HTML in user messages or restricting the use of WebSocket messages until a patch is available. Avoid using the '<meta http-equiv="refresh">' tag in WebSocket messages to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Zoho ManageEngine ADSelfService Plus versions prior to 6202 **Description** The issue allows attackers to perform username enumeration via a crafted POST request to "/ServletAPI/accounts/login". This enables attackers to identify valid usernames, potentially leading to further attacks. **Recommendations** For versions prior to 6202, update to version 6202 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/ServletAPI/accounts/login" endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Zoho ManageEngine ADSelfService Plus versions prior to 6121 ADAuditPlus versions prior to 7060 Exchange Reporter Plus versions prior to 5701 ADManagerPlus versions prior to 7131 **Description** The issue allows NTLM Hash disclosure during certain storage-path configuration steps. This affects Zoho ManageEngine products, potentially leading to security breaches. **Recommendations** For Zoho ManageEngine ADSelfService Plus versions prior to 6121, update to version 6121 or later. For ADAuditPlus versions prior to 7060, update to version 7060 or later. For Exchange Reporter Plus versions prior to 5701, update to version 5701 or later. For ADManagerPlus versions prior to 7131, update to version 7131 or later.

**Name of the Vulnerable Software and Affected Versions** WEB STUDIO Ultimate Loan Manager version 2.0 **Description** The issue exists due to the presence of a cross-site scripting (XSS) flaw. This flaw can be exploited by adding a branch under the Branches button and setting the `notes` parameter with crafted JavaScript code. **Recommendations** For WEB STUDIO Ultimate Loan Manager version 2.0, as a temporary workaround, consider disabling the ability to add branches or restrict the input for the `notes` parameter to prevent the execution of malicious JavaScript code until a patch is available.

**Name of the Vulnerable Software and Affected Versions** MyT version 1.5.1 **Description** The issue concerns a problem where the `username` parameter in the User component has XSS. **Recommendations** For MyT version 1.5.1, avoid using the `username` parameter until the issue is resolved.