Paolo Cavaglià

**Name of the Vulnerable Software and Affected Versions** Kubernetes Image Builder Nutanix (affected versions not specified) OVA providers (affected versions not specified) **Description** VM images built with Kubernetes Image Builder Nutanix or OVA providers may use default credentials for Windows images if a user does not override them. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WP-Strava plugin for WordPress versions up to, and including, 2.12.1 **Description** The issue is related to Stored Cross-Site Scripting via admin settings due to insufficient input sanitization and output escaping. This allows authenticated attackers with administrator-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The issue only affects multi-site installations and installations where unfiltered html has been disabled. **Recommendations** For WP-Strava plugin for WordPress versions up to, and including, 2.12.1: Update to the latest version to mitigate risks. As a temporary workaround, consider restricting access to admin settings to minimize the risk of exploitation. Additionally, restricting the use of unfiltered html in installations can help reduce the vulnerability's impact.

**Name of the Vulnerable Software and Affected Versions** PAM system (affected versions not specified) **Description** The issue allows an unauthenticated attacker to achieve remote command execution on the affected PAM system. This is done by uploading a specially crafted PAM upgrade file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PAM (affected versions not specified) **Description** The issue allows an attacker to bypass the authentication requirements for a specific PAM endpoint. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** The issue allows a malicious low-privileged PAM user to perform server upgrade related actions. No information is provided about the estimated number of potentially affected devices or real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PAM system (affected versions not specified) **Description** The issue allows an unauthenticated attacker to achieve remote command execution on the affected PAM system by uploading a specially crafted PAM upgrade file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PAM UI (affected versions not specified) **Description** A reflected cross-site scripting (XSS) issue exists in the PAM UI web interface, allowing a remote attacker to potentially execute arbitrary client-side code if a PAM user clicks on a specially crafted link. This could lead to the execution of code in the context of PAM UI. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PAM (affected versions not specified) **Description** The issue allows a high-privileged authenticated PAM user to achieve remote command execution on the affected PAM system by sending a specially crafted HTTP request. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PAM (affected versions not specified) **Description** A specific authentication strategy in PAM allows a malicious attacker to learn the ids of all PAM users defined in its database. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PAM (affected versions not specified) **Description** The issue allows a malicious low-privileged PAM user to access information about other PAM users and their group memberships. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned. **Description** The issue allows an unauthenticated attacker to read arbitrary information from the database. There is no information provided about the estimated number of potentially affected devices worldwide or details about real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PAM system (affected versions not specified) **Description** An improper input validation in the PAM system allows an unauthenticated attacker to achieve remote command execution by sending a specially crafted HTTP request. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The Invitation Code Content Restriction Plugin from CreativeMinds plugin for WordPress versions up to, and including, 1.5.4 **Description** The issue is related to Reflected Cross-Site Scripting via the `target id` parameter due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. **Recommendations** For versions up to, and including, 1.5.4, consider disabling the `target id` parameter until a patch is available to prevent exploitation. Restrict access to the plugin's functionality to minimize the risk of arbitrary web script injection. Avoid using the `target id` parameter in affected pages until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.