N1Nj4Sec

Name of the Vulnerable Software and Affected Versions: GravityZone Console versions prior to 6.38.1-2 Description: A host whitelist parser issue in the proxy service implemented in the GravityZone Update Server allows an attacker to cause a server-side request forgery. This issue is related to insufficient checking of incoming requests, which can be exploited by a remote attacker to perform an SSRF attack. Recommendations: For GravityZone Console versions prior to 6.38.1-2, update to version 6.38.1-2 or later to resolve the issue. As a temporary workaround, consider restricting access to the proxy service to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Bitdefender Endpoint Security for Linux version 7.0.5.200089 Bitdefender Endpoint Security for Windows version 7.9.9.380 GravityZone Control Center (On Premises) version 6.36.1 **Description** An Incorrect Regular Expression vulnerability in Bitdefender GravityZone Update Server allows an attacker to cause a Server Side Request Forgery and reconfigure the relay. **Recommendations** For Bitdefender Endpoint Security for Linux version 7.0.5.200089, update to a version that includes the fix for the Incorrect Regular Expression vulnerability. For Bitdefender Endpoint Security for Windows version 7.9.9.380, update to a version that includes the fix for the Incorrect Regular Expression vulnerability. For GravityZone Control Center (On Premises) version 6.36.1, update to a version that includes the fix for the Incorrect Regular Expression vulnerability. As a temporary workaround, consider restricting access to the vulnerable component in the GravityZone Update Server to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Bitdefender Endpoint Security for Linux version 7.0.5.200089 Bitdefender Endpoint Security for Windows version 7.9.9.380 GravityZone Control Center (On Premises) version 6.36.1 **Description** The issue is related to an Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in the UpdateServer component of Bitdefender GravityZone. This vulnerability allows an attacker to execute arbitrary code on vulnerable instances. **Recommendations** For Bitdefender Endpoint Security for Linux version 7.0.5.200089, update to a version that includes a fix for the UpdateServer component vulnerability. For Bitdefender Endpoint Security for Windows version 7.9.9.380, update to a version that includes a fix for the UpdateServer component vulnerability. For GravityZone Control Center (On Premises) version 6.36.1, update to a version that includes a fix for the UpdateServer component vulnerability. As a temporary workaround, consider disabling the UpdateServer component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Paessler PRTG Network Monitor (affected versions not specified) **Description** This issue allows remote attackers to bypass authentication on affected installations of Paessler PRTG Network Monitor. User interaction is required to exploit this issue, where the target must visit a malicious page or open a malicious file. The specific flaw exists within the web console, resulting from the lack of proper validation of user-supplied data, which can lead to the injection of an arbitrary script. An attacker can leverage this issue to bypass authentication on the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** The Plus Addons for Elementor Page Builder WordPress plugin versions prior to 4.1.12 **Description** The issue concerns a reflected Cross-Site Scripting problem. It is related to the `theplus more post` AJAX action, which did not properly sanitise some of its fields. This makes the plugin exploitable on both unauthenticated and authenticated users. **Recommendations** For versions prior to 4.1.12, update to version 4.1.12 or later to resolve the issue. As a temporary workaround, consider restricting access to the `theplus more post` AJAX action until a patch is applied.