Raphael Geissert

**Name of the Vulnerable Software and Affected Versions** piwigo (affected versions not specified) **Description** The issue is related to a Cross-Site Scripting (XSS) problem. It affects the password.php file, which suggests that the vulnerability could be exploited through password-related functionality. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** piwigo (affected versions not specified) **Description** The issue is related to an incomplete fix for a previous security problem in the password.php file, which results in a cross-site scripting (XSS) issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** trytond version 2.4 **Description** The issue is related to the `ModelView.button` function, which fails to validate authorization. **Recommendations** For trytond version 2.4, as a temporary workaround, consider disabling the `ModelView.button` function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** letodms (affected versions not specified) **Description** The issue concerns multiple XSS problems, including Reflected XSS in the Login Page, Stored XSS in the Document Owner/User name, and Stored XSS in the Calendar. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** mailscanner version 4.79.11-2 **Description** The issue concerns the update{ bad,} phishing sites scripts in mailscanner, which download files without using encryption or digital signature checking. This could allow an attacker to replace certain configuration files, such as the phishing whitelist, via DNS or packet spoofing. **Recommendations** For mailscanner version 4.79.11-2, consider disabling the update{ bad,} phishing sites scripts until a secure update mechanism is implemented to prevent potential exploitation. Restrict access to configuration files to minimize the risk of unauthorized modifications.

**Name of the Vulnerable Software and Affected Versions** pixelpost version 1.7.3 **Description** A cross-site request forgery (CSRF) issue allows remote attackers to change the admin password. **Recommendations** For pixelpost version 1.7.3, update to a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** MailScanner versions prior to 4.79.11-2.1 **Description** The issue allows local users to overwrite arbitrary files via a symlink attack on certain temporary files. This problem exists due to an incomplete fix for a previously identified issue. **Recommendations** For versions prior to 4.79.11-2.1, update to version 4.79.11-2.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** GLPI version 0.83.7 **Description** The issue is related to Local File Inclusion in the common.tabs.php file. **Recommendations** For GLPI version 0.83.7, update to a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** paxtest (affected versions not specified) **Description** The issue is related to paxtest handling temporary files insecurely. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** qtparted (affected versions not specified) **Description** The issue is related to insecure library loading, which may allow arbitrary code execution. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** pixelpost versions 1.7.1 through 1.7.5 **Description** The issue is related to SQL injection. There is no information provided about the estimated number of potentially affected devices worldwide or details about real-world incidents where this issue was exploited. **Recommendations** For pixelpost versions 1.7.1 through 1.7.5, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** pixelpost versions 1.7.1 through 1.7.1-5 **Description** The issue is related to Cross-Site Scripting (XSS). XSS is a type of security vulnerability that allows an attacker to inject malicious scripts into a website, potentially allowing them to steal user data or take control of the user's session. **Recommendations** For pixelpost version 1.7.1, update to a version that fixes the XSS issue. For pixelpost versions 1.7.1-5, update to a version that fixes the XSS issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MailScanner (affected versions not specified) **Description** The issue allows local users to prevent virus signatures from being updated. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sonatype Nexus Repository Manager versions through 2.14.5 **Description** The issue is related to weak password encryption in the LDAP integration feature, with a hardcoded value. This weakness may allow a remote attacker to access user authentication data and other protected information. The problem is also associated with the use of defective cryptographic algorithms. **Recommendations** For Sonatype Nexus Repository Manager versions through 2.14.5, update to a version that addresses the weak password encryption issue in the LDAP integration feature. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: LetoDMS versions prior to 3.3.8 Description: The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via unspecified parameters in certain files, specifically (1) inc/inc.ClassUI.php or (2) out/out.DocumentNotify.php. Recommendations: For versions prior to 3.3.8, update to version 3.3.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected files, inc/inc.ClassUI.php and out/out.DocumentNotify.php, to minimize the risk of exploitation. Avoid using unspecified parameters in these files until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: LetoDMS versions prior to 3.3.8 Description: The issue concerns multiple cross-site request forgery (CSRF) vulnerabilities. These vulnerabilities allow remote attackers to hijack the authentication of victims. The exact vectors used for the attack are not specified. Recommendations: For versions prior to 3.3.8, update to version 3.3.8 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: LetoDMS versions prior to 3.3.9 Description: The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. The estimated number of potentially affected devices and details about real-world incidents are not specified. Recommendations: For versions prior to 3.3.9, update to version 3.3.9 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: LetoDMS versions prior to 3.3.8 Description: The issue allows remote attackers to execute arbitrary SQL commands. Recommendations: For versions prior to 3.3.8, update to version 3.3.8 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Debian acpi-support versions prior to 0.140-5+deb7u3 **Description** The issue allows local users to gain privileges via vectors related to the user's environment. **Recommendations** For versions prior to 0.140-5+deb7u3, update to version 0.140-5+deb7u3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.16.3 **Description** The issue allows remote CIFS servers to cause a denial of service, resulting in a NULL pointer dereference and client system crash, or possibly have unspecified other impact. This occurs when the IPC$ share is deleted during resolution of DFS referrals. The `SMB2 tcon` function in `fs/cifs/smb2pdu.c` is the vulnerable component. **Recommendations** For Linux kernel versions prior to 3.16.3, update to version 3.16.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the `SMB2 tcon` function in `fs/cifs/smb2pdu.c` to minimize the risk of exploitation.