Moritz Naumann

**Name of the Vulnerable Software and Affected Versions** Ubuntu Server versions prior to Subiquity 20.05.2 **Description** A security issue was discovered in the Subiquity installer for Ubuntu Server, where the LUKS full disk encryption password was logged if one was entered. This issue was caused by the password being stored in the log. The company Canonical released a corrective version of the Subiquity installer, 20.05.2, which applies to Ubuntu Server installations starting from version 18.04 in Live mode. **Recommendations** For Ubuntu Server versions prior to Subiquity 20.05.2, update the Subiquity installer to version 20.05.2, which can be obtained from the Snap Store, to resolve the issue. As a temporary workaround, consider avoiding the use of LUKS full disk encryption or taking extra precautions to protect the password until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Horde Application Framework versions prior to 3.3.9 **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the `subdir` parameter in the util/icon browser.php file. **Recommendations** For versions prior to 3.3.9, update to version 3.3.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the util/icon browser.php file to minimize the risk of exploitation. Avoid using the `subdir` parameter in the affected file until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Cacti version 0.8.7e **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. The affected areas include `graph.php`, `include/top graph header.php`, `lib/html form.php`, and `lib/timespan settings.php`. Specifically, the vulnerabilities can be exploited through the `graph end` or `graph start` parameters to `graph.php`, the `date1` parameter in a tree action to `graph view.php`, and the `page refresh` and `default dual pane width` parameters to `graph settings.php`. **Recommendations** For Cacti version 0.8.7e, consider disabling access to the affected PHP files until a patch is available. Restrict access to the `graph.php`, `graph view.php`, and `graph settings.php` endpoints to minimize the risk of exploitation. Avoid using the `graph end`, `graph start`, `date1`, `page refresh`, and `default dual pane width` parameters in the affected API endpoints until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Drupal versions 5.x prior to 5.17 Drupal versions 6.x prior to 6.11 Description: The issue allows user-assisted remote attackers to obtain sensitive information by tricking victims into visiting the site's front page with a crafted URL, causing form data to be sent to an attacker-controlled site. This might be related to multiple / (slash) characters not being properly handled by includes/bootstrap.inc, as demonstrated using the search box. It can be leveraged to conduct cross-site request forgery (CSRF) attacks. Recommendations: For Drupal versions 5.x prior to 5.17, update to version 5.17 or later. For Drupal versions 6.x prior to 6.11, update to version 6.11 or later.

Name of the Vulnerable Software and Affected Versions: Drupal versions 5.x before 5.17 Drupal versions 6.x before 6.11 Description: A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML via crafted UTF-8 byte sequences before the Content-Type meta tag. These sequences are treated as UTF-7 by Internet Explorer 6 and 7. Recommendations: For Drupal 5.x, update to version 5.17 or later. For Drupal 6.x, update to version 6.11 or later.

**Name of the Vulnerable Software and Affected Versions** Mailman versions prior to 2.1.9rc1 **Description** The issue is related to a CRLF injection vulnerability in the Utils.py file. This vulnerability allows remote attackers to inject CRLF sequences into the URI, potentially spoofing messages in the error log. Attackers may use this to trick administrators into visiting malicious URLs. **Recommendations** For versions prior to 2.1.9rc1, update to version 2.1.9rc1 or later to resolve the issue. As a temporary workaround, consider restricting access to the error log to minimize the risk of exploitation. Avoid using URLs with CRLF sequences in the affected Mailman version until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** PmWiki versions prior to 2.1.18 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving "table markups". **Recommendations** For versions prior to 2.1.18, update to version 2.1.18 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WebScarab versions prior to 20060718-1904 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the URL. This occurs because the URL is not sanitized before being returned in an error message when WebScarab is unable to access it. This issue is particularly relevant when used with certain browsers. **Recommendations** For versions prior to 20060718-1904, update to version 20060718-1904 or later to resolve the issue. As a temporary workaround, consider restricting access to WebScarab to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Horde Application Framework versions 3.0.0 through 3.0.10 Horde Application Framework versions 3.1.0 through 3.1.1 **Description** The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via several methods, including using a javascript URI or an external http, https, or ftp URI in the `url` parameter in "services/go.php", a javascript URI in the `module` parameter in "services/help", and the `name` parameter in "services/problem.php". **Recommendations** For Horde Application Framework versions 3.0.0 through 3.0.10, update to a version outside of this range to mitigate the risk. For Horde Application Framework versions 3.1.0 through 3.1.1, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the "services/go.php", "services/help", and "services/problem.php" endpoints until a patch is available. Avoid using the `url` parameter in "services/go.php", the `module` parameter in "services/help", and the `name` parameter in "services/problem.php" until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Horde Application Framework versions 3.0.0 through 3.0.10 Horde Application Framework versions 3.1.0 through 3.1.1 **Description** The issue allows remote attackers to perform Web tunneling attacks and use the server as a proxy via http, https, and ftp URL in the `url` parameter. This is due to the improper restriction of the image proxy capability in the services/go.php file. **Recommendations** For Horde Application Framework versions 3.0.0 through 3.0.10, restrict access to the services/go.php file to minimize the risk of exploitation. For Horde Application Framework versions 3.1.0 through 3.1.1, avoid using the `url` parameter in the services/go.php file until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: GNU Mailman version 2.1.7 Description: A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `action` argument in the private archive script (private.py). Recommendations: For GNU Mailman version 2.1.7, update to a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Virtual Hosting Control System (VHCS) versions 2.2.0 through 2.4.6.2 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via query strings that are included in an error message. This can be achieved by using a parameter containing script. **Recommendations** For Virtual Hosting Control System (VHCS) versions 2.2.0 through 2.4.6.2, consider restricting access to the gui/errordocs/index.php file until a patch is available. As a temporary workaround, avoid using parameters that contain script in query strings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PmWiki versions up to 2.0.12 **Description** A cross-site scripting issue exists, allowing remote attackers to inject arbitrary web script or HTML. This is achieved via the `q` parameter in the Search module. **Recommendations** For versions up to 2.0.12, update to a version later than 2.0.12 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** TikiWiki versions 1.9.0 through 1.9.2 **Description** The issue allows remote attackers to obtain the installation path via an invalid `topics sort mode` parameter. This is possibly related to an SQL injection issue. **Recommendations** For versions 1.9.0 through 1.9.2, consider restricting access to the `tiki-view forum thread.php` file until a fix is available. Avoid using invalid `topics sort mode` parameters in the affected API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Antville version 1.1 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the notfound.skin error document. This could potentially lead to unauthorized actions on the affected system. **Recommendations** For Antville version 1.1, consider disabling the notfound.skin error document as a temporary workaround until a patch is available. Restrict access to error documents to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Address Add Plugin versions 1.9 through 2.0 **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the IMG tag in the add.php file. **Recommendations** For Address Add Plugin versions 1.9 through 2.0, update to a version that fixes this issue to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** Open Ticket Request System (OTRS) versions 1.0.0 through 1.3.2 Open Ticket Request System (OTRS) versions 2.0.0 through 2.0.3 **Description** The issue allows remote attackers to execute arbitrary SQL commands and bypass authentication via the `user` parameter in the Login action. Additionally, remote authenticated users can exploit the vulnerability via the `TicketID` and `ArticleID` parameters of the AgentTicketPlain action. The vulnerability can be exploited remotely, potentially leading to a breach of confidentiality, integrity, and availability of protected information. **Recommendations** For Open Ticket Request System (OTRS) versions 1.0.0 through 1.3.2, update to a version outside of this range to mitigate the risk. For Open Ticket Request System (OTRS) versions 2.0.0 through 2.0.3, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the `AgentTicketPlain` action and the `Login` action until a patch is available. Avoid using the `user`, `TicketID`, and `ArticleID` parameters in the affected actions until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Open Ticket Request System (OTRS) versions 1.0.0 through 1.3.2 Open Ticket Request System (OTRS) versions 2.0.0 through 2.0.3 **Description** The issue involves multiple cross-site scripting (XSS) vulnerabilities that allow remote authenticated users to inject arbitrary web script or HTML. This can be achieved via hex-encoded values in the `QueueID` parameter and `Action` parameters. The vulnerability can lead to a disruption of confidentiality, integrity, and availability of protected information and can be exploited remotely. **Recommendations** For Open Ticket Request System (OTRS) versions 1.0.0 through 1.3.2, consider disabling the `QueueID` and `Action` parameters in the index.pl file until a patch is available. For Open Ticket Request System (OTRS) versions 2.0.0 through 2.0.3, consider disabling the `QueueID` and `Action` parameters in the index.pl file until a patch is available. As a temporary workaround, restrict access to the index.pl file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Open Ticket Request System (OTRS) versions 1.0.0 through 1.3.2 Open Ticket Request System (OTRS) versions 2.0.0 through 2.0.3 **Description** The issue allows remote attackers to execute arbitrary web script or HTML when the `AttachmentDownloadType` is set to inline, and the queue moderator attempts to download an e-mail attachment. This can lead to the execution of arbitrary web script or HTML. The problem may be referred to as XSS by some sources. Multiple vulnerabilities in the otrs package of the Debian GNU/Linux operating system can be exploited remotely, leading to a violation of confidentiality, integrity, and availability of protected information. **Recommendations** For Open Ticket Request System (OTRS) versions 1.0.0 through 1.3.2, consider changing the `AttachmentDownloadType` from inline to prevent the rendering of text/html e-mail attachments as HTML in the browser. For Open Ticket Request System (OTRS) versions 2.0.0 through 2.0.3, consider changing the `AttachmentDownloadType` from inline to prevent the rendering of text/html e-mail attachments as HTML in the browser. At the moment, there is no information about a newer version that contains a fix for this vulnerability.