Nine:Situations:Group

**Name of the Vulnerable Software and Affected Versions** glFusion versions 1.1.2 and earlier **Description** The issue concerns SQL injection vulnerabilities in the ExecuteQueries function. Remote attackers can execute arbitrary SQL commands via the `order` and `direction` parameters to the "search.php" endpoint. **Recommendations** For glFusion versions 1.1.2 and earlier, as a temporary workaround, consider restricting access to the ExecuteQueries function in listfactory.class.php until a patch is available. Avoid using the `order` and `direction` parameters in the search.php endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** jetAudio versions 7.5.2 through 7.5.3.15 JetCast.exe version 2.0.4.1109 **Description** The issue is related to a stack-based buffer overflow in JetCast.exe, which can be triggered by a long ID3 tag in an MP3 file, potentially allowing remote attackers to execute arbitrary code. **Recommendations** For jetAudio versions 7.5.2 through 7.5.3.15, consider updating JetCast.exe to a version that is not affected by this issue. For JetCast.exe version 2.0.4.1109, avoid using it to play MP3 files with long ID3 tags until a patch is available. As a temporary workaround, consider restricting access to JetCast.exe or disabling its ability to process MP3 files with long ID3 tags.

**Name of the Vulnerable Software and Affected Versions** KVIrc version 3.4.2 **Description** The issue allows remote attackers to execute arbitrary commands via a quote followed by command line switches in API endpoints such as "irc:///", "irc6:///", "ircs:///", or "ircs6:///". **Recommendations** For KVIrc version 3.4.2, as a temporary workaround, consider restricting access to the URI handler until a patch is available. Avoid using the quote character followed by command line switches in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: ooVoo versions 1.7.1.35 through 1.7.1.58 Description: The issue is related to a buffer overflow in the oovoo.exe component. This can be exploited by remote attackers through a long oovoo: URI, potentially leading to a denial of service (crash) and possibly the execution of arbitrary code. Recommendations: For versions 1.7.1.35 through 1.7.1.58, update to version 1.7.1.59 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Exodus version 0.10 Description: The issue allows remote attackers to inject arbitrary command line arguments and overwrite arbitrary files, potentially causing a denial of service. This is achieved via encoded spaces in a pres:// URI. Recommendations: For version 0.10, consider restricting access to pres:// URIs to minimize the risk of exploitation until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Exodus version 0.10 Description: The issue allows remote attackers to inject arbitrary command line arguments and overwrite arbitrary files, potentially causing a denial of service. This is achieved via encoded spaces in an im:// URI. Recommendations: For version 0.10, consider restricting access to the im:// URI handler until a patch is available to prevent arbitrary command line argument injection and file overwrites.

**Name of the Vulnerable Software and Affected Versions** getPlus Download Manager versions prior to 1.5.0.48 Adobe Reader version 1.6.2.36 **Description** The issue allows local users to gain SYSTEM privileges by replacing getPlus HelperSvc.exe with a Trojan horse program due to insecure permissions (Everyone:Full Control) set by the getPlus Download Manager. This is demonstrated by the use of getPlus Download Manager within Adobe Reader. However, within Adobe Reader, the scope of this issue is limited because the program is deleted and the associated service is not automatically launched after a successful installation and reboot. **Recommendations** For getPlus Download Manager versions prior to 1.5.0.48, update to version 1.5.0.48 or later to resolve the issue. For Adobe Reader version 1.6.2.36, consider removing or restricting access to the getPlus Download Manager to minimize the risk of exploitation until a patch is available.

**Name of the Vulnerable Software and Affected Versions** PeaZIP versions 2.6.1, 2.5.1, and earlier **Description** The issue allows user-assisted remote attackers to execute arbitrary commands. This can be achieved via a .zip archive containing a .txt file whose name includes `|` (pipe) characters and a command. **Recommendations** For PeaZIP versions 2.6.1, 2.5.1, and earlier, update to a newer version to mitigate the risk. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: ICQ version 6.5 Description: The issue is related to a stack-based buffer overflow in the URL Search Hook, specifically in the ICQToolBar.dll component. This can be triggered by a remote attacker using an Internet shortcut .URL file that contains a long URL parameter. When a user browses a folder containing this file, it can cause a persistent crash and potentially allow the execution of arbitrary code. Recommendations: For ICQ version 6.5, consider avoiding the use of the URL Search Hook feature until a fix is available, or refrain from browsing folders that may contain malicious .URL files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Pinnacle Studio 12, specifically the Pinnacle Hollywood Effects 6 module, version 6.5.201.0 Description: The issue allows remote attackers to cause a denial of service, resulting in an application crash, by exploiting a vulnerability in the handling of crafted Hollywood FX Compressed Archive (.hfz) files. Recommendations: For version 6.5.201.0, consider avoiding the use of the InstallHFZ.exe module until a patch is available, or restrict access to .hfz files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Pinnacle Studio 12 version 6.5.201.0 Description: A directory traversal issue exists, allowing remote attackers to create and overwrite arbitrary files via a filename containing a .. (dot dot backslash) sequence in a Hollywood FX Compressed Archive (.hfz) file. This can potentially be leveraged for code execution by decompressing a file to a Startup folder. Recommendations: For version 6.5.201.0, consider restricting access to the InstallHFZ.exe module to minimize the risk of exploitation. As a temporary workaround, avoid using the Hollywood FX Compressed Archive (.hfz) file format until a patch is available.

Name of the Vulnerable Software and Affected Versions: Smarty version 2.6.22 Description: The issue allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the `equation` attribute of the `math` function. Recommendations: For Smarty version 2.6.22, consider disabling the `smarty function math` function until a patch is available to prevent exploitation.

Name of the Vulnerable Software and Affected Versions: Bitweaver versions 2.6 and earlier Description: The issue allows remote attackers to create or overwrite arbitrary files due to a directory traversal vulnerability in the saveFeed function. This is achieved by including a .. (dot dot) in the `version` parameter to the "boards/boards rss.php" endpoint. Recommendations: For Bitweaver versions 2.6 and earlier, as a temporary workaround, consider restricting access to the saveFeed function in rss/feedcreator.class.php until a patch is available. Avoid using the `version` parameter in the boards/boards rss.php endpoint with untrusted input until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Bitweaver versions 2.6 and earlier Description: The issue concerns multiple static code injection vulnerabilities in the saveFeed function within the rss/feedcreator.class.php file. This allows remote authenticated users to inject arbitrary PHP code into files by placing PHP sequences into the account's `display name` setting and then invoking the "boards/boards rss.php" endpoint. Additionally, it might allow remote attackers to inject arbitrary PHP code into files via the HTTP Host header in a request to the "boards/boards rss.php" endpoint. Recommendations: For Bitweaver versions 2.6 and earlier, update to a version later than 2.6 to resolve the issue. As a temporary workaround, consider restricting access to the `saveFeed` function in the rss/feedcreator.class.php file until a patch is available. Avoid using the `display name` setting to inject PHP sequences in the account settings. Restrict modifications to the HTTP Host header to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: IceWarp Merak Mail Server version 9.4.1 Description: The issue is related to a stack-based buffer overflow in the IceWarpServer.APIObject ActiveX control. This occurs in the api.dll component of IceWarp Merak Mail Server. The overflow can happen when a large value is passed as the second argument to the `Base64FileEncode` method. This could potentially allow attackers to execute arbitrary code, especially in scenarios where untrusted input is accepted for this method. Recommendations: For IceWarp Merak Mail Server version 9.4.1, consider restricting access to the `Base64FileEncode` method until a patch is available. As a temporary workaround, avoid using the `Base64FileEncode` method with untrusted input to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Megacubo version 5.0.7 Description: The issue allows remote attackers to inject and execute arbitrary PHP code via the play action in a "mega:// URI". This is an eval injection vulnerability. Recommendations: For Megacubo version 5.0.7, update to a newer version that contains a fix for this issue, if available. As a temporary workaround, consider restricting access to the play action in "mega:// URI" to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** glFusion versions 1.1.2 and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `glf session` cookie parameter in the private/system/lib-session.php file. **Recommendations** For versions 1.1.2 and earlier, update to a version later than 1.1.2 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** glFusion versions prior to 1.1.3 **Description** The issue allows remote attackers to gain privileges by obtaining a user-provided password hash and using it in the `glf password` cookie. This can be exploited in conjunction with a separate SQL injection vulnerability to steal hashes. **Recommendations** For versions prior to 1.1.3, update to version 1.1.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the `glf password` cookie to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PPLive versions 1.9.21 and earlier **Description** The issue allows remote attackers to execute arbitrary code via a UNC share pathname in the `LoadModule` argument to the (1) synacast, (2) Play, (3) pplsv, or (4) ppvod URI handler. **Recommendations** For versions 1.9.21 and earlier, consider restricting access to the UNC share pathname in the `LoadModule` argument to minimize the risk of exploitation. As a temporary workaround, avoid using the `LoadModule` argument in the affected URI handlers until a fix is available.

**Name of the Vulnerable Software and Affected Versions** GeoVision DVR systems LIVEAU~1.OCX version 7.0 **Description** The issue is related to a use-after-free vulnerability in the LIVEAUDIO.LiveAudioCtrl.1 ActiveX control. This vulnerability can be exploited by remote attackers to execute arbitrary code. The exploitation involves calling the `GetAudioPlayingTime` method with certain arguments. **Recommendations** For LIVEAU~1.OCX version 7.0, consider disabling the `GetAudioPlayingTime` method as a temporary workaround until a patch is available. Restrict access to the LIVEAUDIO.LiveAudioCtrl.1 ActiveX control to minimize the risk of exploitation.