Mike

**Name of the Vulnerable Software and Affected Versions** ZD YouTube FLV Player plugin for WordPress versions up to, and including, 1.2.6 **Description** The issue allows unauthenticated attackers to make web requests to arbitrary locations originating from the web application, which can be used to query and modify information from internal services. This is achieved via the `$ GET['image']` parameter. **Recommendations** For versions up to, and including, 1.2.6, update the ZD YouTube FLV Player plugin for WordPress to a version that is not affected by this issue. As a temporary workaround, consider restricting access to the `$ GET['image']` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions 4.x through 10.0 Firefox ESR versions 10.x before 10.0.3 Thunderbird versions 5.0 through 10.0 Thunderbird ESR versions 10.x before 10.0.3 SeaMonkey version 2.8 and earlier **Description** A CRLF injection issue allows remote web servers to bypass intended Content Security Policy (CSP) restrictions and possibly conduct cross-site scripting (XSS) attacks via crafted HTTP headers. **Recommendations** For Mozilla Firefox versions 4.x through 10.0, update to version 10.0.3 or later. For Firefox ESR versions 10.x before 10.0.3, update to version 10.0.3 or later. For Thunderbird versions 5.0 through 10.0, update to version 10.0.3 or later. For Thunderbird ESR versions 10.x before 10.0.3, update to version 10.0.3 or later. For SeaMonkey version 2.8 and earlier, update to version 2.8 or later.

**Name of the Vulnerable Software and Affected Versions** Bugzilla versions 3.2.x through 3.2.9 Bugzilla versions 3.4.x through 3.4.9 Bugzilla versions 3.6.x through 3.6.3 Bugzilla versions 4.0.x through 4.0rc1 **Description** The issue allows remote attackers to conduct cross-site scripting (XSS) attacks against logged-out users via a crafted URI, specifically by creating a clickable link for a `javascript:` or `data:` URI in the URL field. **Recommendations** For Bugzilla versions 3.2.x through 3.2.9, update to version 3.2.10 or later. For Bugzilla versions 3.4.x through 3.4.9, update to version 3.4.10 or later. For Bugzilla versions 3.6.x through 3.6.3, update to version 3.6.4 or later. For Bugzilla versions 4.0.x through 4.0rc1, update to version 4.0rc2 or later.

**Name of the Vulnerable Software and Affected Versions** tcpdump versions 3.8.1 and earlier **Description** The issue allows remote attackers to cause a denial of service, resulting in an infinite loop and memory consumption. This occurs when a packet with invalid data is sent to UDP port 1701, causing the `l2tp avp print` function to use a bad length value when calling `print octets`. **Recommendations** For versions 3.8.1 and earlier, update to a version later than 3.8.1 to resolve the issue.