Phillip Langlois

Name of the Vulnerable Software and Affected Versions: pfSense versions 2.4.4-p2 and earlier Description: An authenticated Cross-Site Scripting issue was found in the pfSense software WebGUI. The `descr` (description) parameter of wake-on-LAN entries in the widgets/widgets/wake on lan widget.php component was not properly encoded, leading to a possible stored XSS. Recommendations: For versions 2.4.4-p2 and earlier, update to a version that contains a fix for this issue to prevent potential exploitation.

**Name of the Vulnerable Software and Affected Versions** Windows ActiveX Installer Service (affected versions not specified) **Description** The issue is related to an elevation of privilege vulnerability that exists due to the improper handling of memory by the Windows ActiveX Installer Service. To exploit this, an attacker would first need to gain execution on the victim system. This could potentially allow an attacker to elevate their privileges using a specially crafted application. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Windows Backup Service (affected versions not specified) **Description** The issue is related to the improper handling of file operations by the Windows Backup Service, which can lead to an elevation of privilege. To exploit this, an attacker must first gain execution on the victim system. This can potentially allow an attacker to elevate their privileges using a specially crafted application. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Windows (affected versions not specified) **Description** The issue is related to the incorrect handling of objects in memory by the ActiveX Installer Service in Windows operating systems. This can be exploited by an attacker using a specially crafted application to elevate their privileges. The vulnerability allows attackers to affect the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Windows Universal Plug and Play (UPnP) Service (affected versions not specified) **Description** An elevation of privilege issue exists due to the improper allowance of COM object creation by the Windows Universal Plug and Play (UPnP) service. This could allow an attacker to elevate their privileges or execute arbitrary code. The vulnerability is related to unsafe privilege management in the Windows UPnP service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Windows (affected versions not specified) **Description** The issue is related to an elevation of privilege vulnerability in the ActiveX Installer service, which may allow access to files without proper authentication. This could enable an attacker to gain unauthorized access to protected information using a specially crafted application. The vulnerability is associated with insecure privilege management. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FFmpeg versions 0.5.x through 0.5.6 FFmpeg versions 0.6.x through 0.6.3 FFmpeg versions 0.7.x through 0.7.8 FFmpeg versions 0.8.x through 0.8.7 Libav versions 0.5.x through 0.5.5 Libav versions 0.6.x through 0.6.3 Libav versions 0.7.x through 0.7.2 **Description** The issue allows remote attackers to cause a denial of service, related to "dimensions changed" in the SVQ1 decoder. Exploitation of the vulnerabilities may lead to disruption of confidentiality, integrity, and availability of protected information. The estimated number of potentially affected devices worldwide is not specified. **Recommendations** For FFmpeg versions 0.5.x through 0.5.6, update to version 0.5.7 or later. For FFmpeg versions 0.6.x through 0.6.3, update to version 0.6.4 or later. For FFmpeg versions 0.7.x through 0.7.8, update to version 0.7.9 or later. For FFmpeg versions 0.8.x through 0.8.7, update to version 0.8.8 or later. For Libav versions 0.5.x through 0.5.5, update to version 0.5.6 or later. For Libav versions 0.6.x through 0.6.3, update to version 0.6.4 or later. For Libav versions 0.7.x through 0.7.2, update to version 0.7.3 or later.