Neal Poole

**Name of the Vulnerable Software and Affected Versions** Hubot Scripts versions prior to 2.4.4 **Description** The issue allows remote attackers to execute arbitrary commands due to a command injection vulnerability in the `hubot-scripts/package/src/scripts/email.coffee` module. The email script is not enabled by default and must be manually added to hubot's list of loaded scripts. **Recommendations** Update hubot-scripts to version 2.4.4 or later.

**Name of the Vulnerable Software and Affected Versions** CodeIgniter versions prior to 2.1.4 **Description** The issue allows remote attackers to bypass an intended protection mechanism and conduct cross-site scripting (XSS) attacks via an unclosed HTML tag. This occurs due to a flaw in the `xss clean` function. **Recommendations** For versions prior to 2.1.4, update to version 2.1.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** F5 BIG-IP APM versions 10.1.0 through 10.2.4 F5 BIG-IP APM versions 11.0.0 through 11.3.0 FirePass versions 6.0.0 through 6.1.0 FirePass version 7.0.0 **Description** A directory traversal issue exists in the client-side components of the affected products when APM is provisioned. This allows remote attackers to upload and execute arbitrary files by including a .. (dot dot) in the `filename` parameter. **Recommendations** For F5 BIG-IP APM versions 10.1.0 through 10.2.4, update to a version outside of this range to resolve the issue. For F5 BIG-IP APM versions 11.0.0 through 11.3.0, update to a version outside of this range to resolve the issue. For FirePass versions 6.0.0 through 6.1.0, update to a version outside of this range to resolve the issue. For FirePass version 7.0.0, update to a version later than 7.0.0 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable `filename` parameter in the affected products until a patch is available.

**Name of the Vulnerable Software and Affected Versions** SWFUpload versions 2.2.0.1 and earlier WordPress versions prior to 3.3.2 TinyMCE Image Manager version 1.1 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `movieName` parameter, related to the `ExternalInterface.call` function. This could potentially lead to unauthorized actions on behalf of the user. **Recommendations** For SWFUpload versions 2.2.0.1 and earlier, consider disabling the `ExternalInterface.call` function until a patch is available. For WordPress versions prior to 3.3.2, update to version 3.3.2 or later. For TinyMCE Image Manager version 1.1, avoid using the `movieName` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** js-yaml versions 2.0.4 and earlier **Description** The issue allows remote attackers to execute arbitrary code via a crafted string that triggers an eval operation, due to the JS-YAML module parsing input without properly considering the unsafe !!js/function tag. **Recommendations** Update to version 2.0.5 or later, and ensure that all instances where the `load()` method is called are updated to use `safeLoad()` instead.

**Name of the Vulnerable Software and Affected Versions** Piwik versions 1.2 through 1.4 **Description** The issue allows remote attackers with the view permission to execute arbitrary code. The attack vectors are unknown. **Recommendations** For Piwik versions 1.2 through 1.4, update to a version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** PHP versions prior to 5.4.0 **Description** The issue arises from insufficient input validation in the file-upload implementation, making it easier for remote attackers to cause a denial of service or conduct directory traversal attacks during multi-file uploads. This can be achieved by leveraging a script that lacks its own filename restrictions, particularly by exploiting the improper handling of invalid ` [ ` (open square bracket) characters in name values. **Recommendations** For PHP versions prior to 5.4.0, update to version 5.4.0 or later to resolve the issue. As a temporary workaround, consider implementing additional filename restrictions in scripts to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apple Safari versions prior to 5.0.6 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via a crafted text/plain file. This could potentially lead to unauthorized actions on a user's session. **Recommendations** For versions prior to 5.0.6, update to version 5.0.6 or later to resolve the issue.