Milad Fadavvi

**Name of the Vulnerable Software and Affected Versions** Zalando Skipper versions prior to v0.13.237 **Description** The issue allows an attacker to exploit a vulnerable version of the proxy to access the internal metadata server or other unauthenticated URLs by adding a specific header (`X-Skipper-Proxy`) to the HTTP request. This is a case of Server-Side Request Forgery (SSRF). **Recommendations** To resolve the issue, upgrade to Zalando Skipper version v0.13.237 or later. As a temporary workaround, consider using the `dropRequestHeader("X-Skipper-Proxy")` filter to mitigate the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MailCleaner CE versions 2018.08 through 2018.09 **Description** The issue concerns the administration login interface, where an XSS attack can be performed via the `admin/login/user/message/` PATH INFO. **Recommendations** For MailCleaner CE versions 2018.08 and 2018.09, consider restricting access to the `admin/login/user/message/` PATH INFO to minimize the risk of exploitation.