Ntc-Swiss-Team

**Name of the Vulnerable Software and Affected Versions** AAT (Another Activity Tracker) versions prior to 1.26 **Description** AAT is a GPS-tracking application for tracking sportive activities, with an emphasis on cycling. The issue allows for data exfiltration from malicious apps installed on the same device. **Recommendations** For versions prior to 1.26, update to version 1.26 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive data within the application to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MSAL.NET versions 4.48.0 through 4.60.0 **Description** A malicious application running on a customer Android device can cause local denial of service against applications that were built using MSAL.NET for authentication on the same device, due to incorrect activity export configuration. This can prevent the user of the legitimate application from logging in. Additionally, a malicious application can inject HTML/JavaScript in an embedded web view exported by affected applications. **Recommendations** For MSAL.NET versions 4.48.0 through 4.60.0, update to MSAL.NET version 4.60.1 or later to resolve the issue. As a temporary workaround, developers may explicitly mark the MSAL.NET activity non-exported by setting `android:exported="false"` in the activity configuration.

**Name of the Vulnerable Software and Affected Versions** Peering Manager versions prior to 1.8.3 **Description** Peering Manager is a BGP session management tool. Affected versions of Peering Manager are subject to a potential stored Cross-Site Scripting (XSS) attack in the `name` attribute of AS or Platform. The XSS triggers on a router's detail page. Adversaries are able to execute arbitrary JavaScript code with the permission of a victim. XSS attacks are often used to steal credentials or login tokens of other users. **Recommendations** For versions prior to 1.8.3, upgrade to version 1.8.3 to address the issue. As a temporary workaround, consider restricting access to the `name` attribute of AS or Platform to minimize the risk of exploitation. Avoid using the `name` attribute in the router's detail page until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Peering Manager versions 1.8.2 and earlier **Description** The issue allows users to be redirected to an arbitrary page using a crafted URL, potentially leading to unexpected locations. This is a result of a flaw in the BGP session management tool. **Recommendations** For Peering Manager versions 1.8.2 and earlier, upgrade to version 1.8.3 to address the issue. At the moment, there is no information about other workarounds for this issue.

**Name of the Vulnerable Software and Affected Versions** Peering Manager versions <=1.8.2 **Description** Peering Manager is a BGP session management tool. There is a Server Side Template Injection issue that leads to Remote Code Execution, allowing arbitrary commands to be executed on the operating system running Peering Manager. **Recommendations** For Peering Manager versions <=1.8.2, upgrade to version 1.8.3 to address the issue. At the moment, there are no known workarounds for this issue.