Oscar Bataille

**Name of the Vulnerable Software and Affected Versions** IceWarp versions prior to 9.14.2.0.9 **Description** This issue is a command injection flaw in the handling of the `X-File-Operation` header. It allows remote attackers to execute arbitrary code on affected IceWarp installations without authentication. The root cause is a lack of proper validation of user-supplied data before it is used in a system call, enabling an attacker to execute code with SYSTEM or root privileges. Reports indicate over 1,200 servers remain vulnerable. The API endpoint involved is not explicitly specified, but the vulnerability is triggered through the `X-File-Operation` header. **Recommendations** Update IceWarp to version 9.14.2.0.9 or later.

**Name of the Vulnerable Software and Affected Versions** Exim versions 4.98 through 4.98.0 **Description** The issue allows remote SQL injection when SQLite hints and ETRN serialization are used. This could potentially allow a remote attacker to perform SQL injection, possibly stealing sensitive data or crashing servers. The vulnerability exists in Exim version 4.98 when specific configurations are used, involving the use of SQLite hints and ETRN serialization. **Recommendations** Update to Exim version 4.98.1 or later to prevent exploitation and safeguard data. As a temporary workaround, consider disabling the use of SQLite hints and ETRN serialization until a patch is available. Restrict access to the Exim mail transfer agent to minimize the risk of exploitation.