Rob

**Name of the Vulnerable Software and Affected Versions** Open Library Foundation VuFind versions 2.4 through 9.1 before 9.1.1 **Description** A Server-Side Request Forgery (SSRF) vulnerability in the "/Cover/Show" route, specifically in the `showAction` function of `CoverController.php`, allows remote attackers to access internal HTTP servers and perform Cross-Site Scripting (XSS) attacks. This is achieved by proxying arbitrary URLs via the `proxy` GET parameter. **Recommendations** For Open Library Foundation VuFind versions 2.4 through 9.1 before 9.1.1, update to version 9.1.1 to resolve the issue. As a temporary workaround, consider restricting access to the "/Cover/Show" route or disabling the `showAction` function in `CoverController.php` until a patch is available. Avoid using the `proxy` GET parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Open Library Foundation VuFind versions 2.0 through 9.1 before 9.1.1 **Description** A Server-Side Request Forgery (SSRF) vulnerability in the "/Upgrade/FixConfig" route allows a remote attacker to overwrite local configuration files to gain access to the administrator panel and achieve Remote Code Execution. The vulnerability requires the `allow url include` PHP runtime setting to be on, which is off in default installations, and the "/Upgrade" route to be exposed, which is exposed by default after installing VuFind. **Recommendations** For versions 2.0 through 9.1 before 9.1.1, update to version 9.1.1 or later to resolve the issue. As a temporary workaround, consider disabling the "/Upgrade" route by setting `autoConfigure` to false in config.ini to minimize the risk of exploitation. Restrict access to the "/Upgrade/FixConfig" route to prevent potential attacks.

**Name of the Vulnerable Software and Affected Versions** Papenmeier WiFi Baby Monitor Free & Lite versions prior to 2.02.2 **Description** The issue allows remote attackers to obtain audio data via certain requests to TCP ports 8258 and 8257. **Recommendations** For versions prior to 2.02.2, update to version 2.02.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.5.9 and earlier, 2.6.x through 2.6.8, 2.7.x through 2.7.5, 2.8.x through 2.8.3 **Description** The issue is related to improper resource management in the filter/urltolink/filter.php component of the Moodle learning management system. It allows remote authenticated users to cause a denial of service, resulting in CPU consumption or partial outage, by sending a crafted string that is matched against an improper regular expression. **Recommendations** For versions 2.5.9 and earlier, update to a version later than 2.5.9. For versions 2.6.x through 2.6.8, update to version 2.6.9 or later. For versions 2.7.x through 2.7.5, update to version 2.7.6 or later. For versions 2.8.x through 2.8.3, update to version 2.8.4 or later.