Nnp

**Name of the Vulnerable Software and Affected Versions** Firefly Media Server versions 0.2.4 and earlier **Description** The issue allows remote attackers to cause a denial of service, resulting in a daemon crash. This can be achieved by sending a stats method action to the "/xml-rpc" API endpoint with either an empty `Authorization` header line, which triggers a crash in the `ws decodepassword()` function, or a header line without a ':' character, which triggers a crash in the `ws getheaders()` function. **Recommendations** For Firefly Media Server versions 0.2.4 and earlier, as a temporary workaround, consider restricting access to the "/xml-rpc" API endpoint to minimize the risk of exploitation. Avoid using empty or malformed `Authorization` header lines in requests to this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Firefly Media Server versions 0.2.4 and earlier **Description** The issue allows remote attackers to execute arbitrary code via a stats method action to "/xml-rpc" with format string specifiers in the `username` or `password` portion of base64-encoded data on the "Authorization: Basic" HTTP header line. This is due to a format string vulnerability in the `ws addarg` function in webserver.c in mt-dappd. **Recommendations** For Firefly Media Server versions 0.2.4 and earlier, as a temporary workaround, consider restricting access to the "/xml-rpc" API endpoint until a patch is available. Avoid using format string specifiers in the `username` or `password` portion of base64-encoded data on the "Authorization: Basic" HTTP header line. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Kmail version 1.9.1 **Description** The issue allows remote attackers to cause a denial of service, resulting in a crash, via an HTML e-mail containing certain table and frameset tags. This could potentially trigger a segmentation fault, possibly due to invalid free or delete operations, when the "Prefer HTML to Plain Text" option is enabled. **Recommendations** For Kmail version 1.9.1, consider disabling the "Prefer HTML to Plain Text" option as a temporary workaround to minimize the risk of exploitation.