Romansoft

**Name of the Vulnerable Software and Affected Versions** Postfix versions prior to 2.3.15 Postfix versions 2.4 prior to 2.4.8 Postfix versions 2.5 prior to 2.5.4 Postfix versions 2.6 prior to 2.6-20080814 **Description** The issue allows local users to append e-mail messages to a file to which a root-owned symlink points, by creating a hard link to this symlink and then sending a message. This can be leveraged to gain privileges if there is a symlink to an init script. **Recommendations** For Postfix versions prior to 2.3.15, update to version 2.3.15 or later. For Postfix versions 2.4 prior to 2.4.8, update to version 2.4.8 or later. For Postfix versions 2.5 prior to 2.5.4, update to version 2.5.4 or later. For Postfix versions 2.6 prior to 2.6-20080814, update to version 2.6-20080814 or later.

**Name of the Vulnerable Software and Affected Versions** Virtual Hosting Control System (VHCS) versions 2.4.7.1 with v.1 patch and earlier **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `username`, which is recorded in a log file but not properly handled when the administrator uses the admin log utility to read the log file. **Recommendations** For Virtual Hosting Control System (VHCS) versions 2.4.7.1 with v.1 patch and earlier, consider disabling the admin log utility until a patch is available to prevent exploitation of the XSS issue via the `username` variable.

**Name of the Vulnerable Software and Affected Versions** Virtual Hosting Control System (VHCS) versions 2.4.7.1 and earlier **Description** The issue allows remote attackers to gain unauthorized access due to the lack of verification of the old password when a user changes their password. **Recommendations** For Virtual Hosting Control System (VHCS) versions 2.4.7.1 and earlier, update to a version that verifies the old password during the password change process to prevent unauthorized access.

**Name of the Vulnerable Software and Affected Versions** Virtual Hosting Control System (VHCS) versions 2.4.7.1 and earlier **Description** The issue concerns the check login function in login.php, which does not properly exit when authentication fails. This allows remote attackers to gain unauthorized access. **Recommendations** For Virtual Hosting Control System (VHCS) versions 2.4.7.1 and earlier, as a temporary workaround, consider disabling the check login function until a patch is available. Restrict access to the login.php module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Virtual Hosting Control System (VHCS) versions 2.4.7.1 and earlier **Description** The issue allows remote attackers to gain unauthorized access due to a lack of user privilege checks when adding new administrative users. **Recommendations** For Virtual Hosting Control System (VHCS) versions 2.4.7.1 and earlier, consider disabling the add user.php script until a patch is available to prevent unauthorized access. Restrict access to administrative user addition functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** dhcpd versions 4.0 through 4.2 dhcp-client-udeb (affected versions not specified) dhcp-relay (affected versions not specified) dhcp (affected versions not specified) **Description** The issue involves multiple vulnerabilities in the dhcp package of the Debian GNU/Linux operating system, which can lead to breaches of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited by a local attacker. Additionally, a stack-based buffer overflow vulnerability in the cons options function in options.c in dhcpd allows remote attackers to execute arbitrary code or cause a denial of service via a DHCP request specifying a maximum message size smaller than the minimum IP MTU. **Recommendations** For dhcpd versions 4.0 through 4.2, consider updating to a newer version to mitigate the risk of exploitation. For dhcp-client-udeb, dhcp-relay, and dhcp, at the moment, there is no information about a newer version that contains a fix for this vulnerability.