Mohamed Abdelbaset Elnoby

**Name of the Vulnerable Software and Affected Versions** OmniAuth Ruby gem versions 1.9.2 and earlier **Description** The request phase of the OmniAuth Ruby gem is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework. This allows accounts to be connected without user intent, user interaction, or feedback to the user, permitting a secondary account to sign into the web application as the primary account. **Recommendations** For OmniAuth Ruby gem versions 1.9.2 and earlier, update to version 2 or later and ensure that the default configuration is not modified to reintroduce the vulnerability. As a temporary workaround, consider configuring OmniAuth according to the recommended remediation to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MikroTik RouterOS versions prior to 5.0 **Description** A cross-site request forgery issue allows remote attackers to hijack administrator authentication for requests that change the administrator password. This is achieved via a request in the status page to "/cfg" API endpoint, specifically targeting the `password` variable. **Recommendations** For versions prior to 5.0, as a temporary workaround, consider restricting access to the "/cfg" API endpoint until a patch is available. Avoid using the `password` variable in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** OpenKM versions prior to 6.4.19 (build 23338) **Description** A cross-site scripting (XSS) issue allows remote authenticated users to inject arbitrary web script or HTML via the `Subject` field in a Task to "frontend/index.jsp". **Recommendations** For versions prior to 6.4.19 (build 23338), update to version 6.4.19 (build 23338) or later to resolve the issue.