Pwnull

**Name of the Vulnerable Software and Affected Versions** Windows (affected versions not specified) **Description** The issue is related to insufficient access control in the Winlogon program of Windows operating systems. It allows an attacker to elevate their privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apache OFBiz versions through 18.12.14 **Description** This issue affects Apache OFBiz, allowing unauthenticated endpoints to execute screen rendering code of screens if certain preconditions are met, such as when screen definitions do not explicitly check user permissions. The vulnerability is related to incorrect authorization and can lead to remote code execution. It is being actively exploited, and proof-of-concept exploits are available. Users are recommended to upgrade to version 18.12.15 to fix the issue. **Recommendations** Apache OFBiz versions through 18.12.14: Upgrade to version 18.12.15 to resolve the issue. As a temporary workaround, consider restricting access to unauthenticated endpoints to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Spring Security versions 5.7.x prior to 5.7.12 Spring Security versions 5.8.x prior to 5.8.11 Spring Security versions 6.0.x prior to 6.0.9 Spring Security versions 6.1.x prior to 6.1.8 Spring Security versions 6.2.x prior to 6.2.3 Bitbucket Data Center and Server versions 8.0.0 through 8.19.0 Bamboo Data Center and Server versions 8.2.1, 9.0.0, 9.1.0, 9.2.1, 9.3.0, 9.4.0, 9.5.0, and 9.6.0 **Description** The issue is related to broken access control in Spring Security when the `AuthenticatedVoter#vote` function is used directly with a null `Authentication` parameter. This could allow an unauthenticated attacker to expose assets in the environment that are susceptible to exploitation, with a high impact on confidentiality and low impact on integrity. Approximately 8,638 results have been found, mainly distributed in the United States and Canada. **Recommendations** For Spring Security versions 5.7.x prior to 5.7.12, upgrade to version 5.7.12 or later. For Spring Security versions 5.8.x prior to 5.8.11, upgrade to version 5.8.11 or later. For Spring Security versions 6.0.x prior to 6.0.9, upgrade to version 6.0.9 or later. For Spring Security versions 6.1.x prior to 6.1.8, upgrade to version 6.1.8 or later. For Spring Security versions 6.2.x prior to 6.2.3, upgrade to version 6.2.3 or later. For Bitbucket Data Center and Server, upgrade to version 8.19.1 or later, or one of the specified supported fixed versions. For Bamboo Data Center and Server, upgrade to version 9.6.1 or later, or one of the specified supported fixed versions. As a temporary workaround, consider avoiding the direct use of `AuthenticatedVoter#vote` with a null `Authentication` parameter until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 12.2.1.4.0 through 14.1.1.0.0 **Description** The issue is related to insufficient input validation in the Core component of Oracle WebLogic Server, allowing an unauthenticated attacker with network access via T3, IIOP to compromise the server. Successful attacks can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. It is estimated that over 10,000 services are potentially affected. **Recommendations** For versions 12.2.1.4.0 and 14.1.1.0.0, update to a version that includes the fix for this issue, as provided in Oracle's April 2024 Critical Patch Update. At the moment, there is no information about other specific newer versions that contain a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apache XML Graphics versions prior to 1.16 Confluence Data Center and Server versions 7.13.0 through 7.19.0, specifically versions prior to 7.19.16 **Description** A vulnerability in the Apache Batik library for working with SVG images is related to insufficient checking of incoming requests. This issue allows an attacker to run untrusted Java code from an SVG, potentially enabling remote execution of arbitrary Java code. The estimated impact of this issue is high, with potential exposure of assets in the environment susceptible to exploitation, affecting confidentiality. **Recommendations** For Apache XML Graphics versions prior to 1.16, update to version 1.16. For Confluence Data Center and Server versions 7.13.0 through 7.19.0, upgrade to a release greater than or equal to 7.19.16. As a temporary workaround, consider restricting the use of SVG images in your environment until the issue is resolved.