Rskvp93

**Name of the Vulnerable Software and Affected Versions** Outline versions prior to 0.77.3 **Description** A type confusion issue in ProseMirror's rendering process leads to a Stored Cross-Site Scripting (XSS) issue. An authenticated user can create a document with a malicious JavaScript payload, which can execute when other users view the document. The issue can bypass Content Security Policy (CSP) restrictions in self-hosted environments with file storage on the same domain. **Recommendations** For versions prior to 0.77.3, upgrade to release version 0.77.3 to address the issue.

**Name of the Vulnerable Software and Affected Versions** Microsoft Exchange versions prior to the fixed version **Description** The vulnerability is related to insufficient input validation in the PowerShell component of Microsoft Exchange, allowing remote attackers to execute arbitrary code. This issue is also associated with a form of Privilege Escalation known as TabShell, which enables breaking out of the restricted PowerShell Sandbox after gaining access through OWASSRF. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Exchange Server (affected versions not specified) **Description** The issue is related to insufficient access controls in Microsoft Exchange Server, allowing a remote attacker to elevate their privileges. This vulnerability has been exploited in real-world incidents, such as the attack on the UK electoral commission, where data of approximately 40 million people may have been leaked. The vulnerability was also used in the breach of Rackspace, where the Play ransomware gang gained initial access to the company's email environment using a zero-day exploit. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Skype for Business Server (affected versions not specified) **Description** The vulnerability is related to a lack of protection for service data in Skype for Business Server, which can allow a remote attacker to gain unauthorized access to protected information. There have been reports of an Arbitrary File Read vulnerability for internal sites of Skype for Business and MS Lync, affecting subdomains such as dialin, meet, lyncdiscover, and sip. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Skype for Business Server (affected versions not specified) Lync (affected versions not specified) **Description** The issue is related to errors in the user interface's representation of information on the Skype for Business Server. It may allow a remote attacker to conduct spoofing attacks. **Recommendations** For Skype for Business Server, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For Lync, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Dynamics 365 (affected versions not specified) **Description** The issue is related to insufficient protection of the web page structure in Microsoft Dynamics 365, allowing for cross-site scripting attacks. An attacker could exploit this to perform remote cross-site scripting attacks. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft SharePoint Server (affected versions not specified) **Description** The issue is related to errors in the user interface's representation of information. It may allow a remote attacker to perform a spoofing attack. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft SharePoint (affected versions not specified) **Description** The issue is related to a spoofing vulnerability in Microsoft SharePoint. It is associated with errors in the user interface's information display. Exploitation of this issue may allow a remote attacker to conduct spoofing attacks using a specially crafted request. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Modicon M340 CPUs versions prior to V3.40 Modicon M340 X80 Ethernet Communication Modules versions (all versions) Modicon Premium Processors with integrated Ethernet versions (all versions) Modicon Quantum Processors with Integrated Ethernet versions (all versions) Modicon Quantum Communication Modules versions (all versions) Modicon Premium Communication Modules versions (all versions) **Description** The issue is related to a buffer overflow in the software of programmable logic controllers. An attacker can exploit this by sending specially crafted HTTP requests, potentially causing a denial of service. **Recommendations** For Modicon M340 CPUs versions prior to V3.40, update to version V3.40 or later. For Modicon M340 X80 Ethernet Communication Modules, restrict access to the web server until a patch is available. For Modicon Premium Processors with integrated Ethernet, consider disabling the HTTP server functionality until a fix is provided. For Modicon Quantum Processors with Integrated Ethernet, avoid using the vulnerable communication modules until an update is released. For Modicon Quantum Communication Modules and Modicon Premium Communication Modules, limit network exposure to these modules until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Microsoft Dynamics Business Central (affected versions not specified) Microsoft Dynamics NAV (affected versions not specified) **Description** The issue is related to a cross-site scripting vulnerability in Microsoft Dynamics Business Central and Microsoft Dynamics NAV. This vulnerability is due to inadequate protection of the web page structure. An attacker could exploit this vulnerability to perform a cross-site scripting attack remotely. **Recommendations** For Microsoft Dynamics Business Central, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For Microsoft Dynamics NAV, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Dynamics Business Central (affected versions not specified) Microsoft Dynamics NAV (affected versions not specified) **Description** The issue is related to a lack of protection for the web page structure in Microsoft Dynamics 365 Business Central and Microsoft Dynamics NAV, allowing for cross-site scripting attacks. An attacker could exploit this by using a specially crafted malicious link to conduct remote cross-site scripting attacks. **Recommendations** For Microsoft Dynamics Business Central, update to a version that includes fixes for cross-site scripting vulnerabilities. For Microsoft Dynamics NAV, apply configuration changes to protect against cross-site scripting attacks, such as validating user input and encoding output. As a temporary workaround, consider restricting access to sensitive areas of the application to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Microsoft Exchange Server (affected versions not specified) **Description** The issue is related to incorrect code generation management in Microsoft Exchange Server, allowing remote attackers to execute arbitrary code. This can be exploited by attackers to gain unauthorized access. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft SharePoint Server (affected versions not specified) **Description** The issue is related to errors in the user interface's information representation in Microsoft SharePoint Enterprise Server. It allows a remote attacker to perform a spoofing attack, potentially affecting the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Azure DevOps Server and Team Foundation Services (affected versions not specified) **Description** The issue is related to incorrect code generation management in Azure DevOps Server and Team Foundation Server. Exploitation of this issue may allow a remote attacker to impact the confidentiality and integrity of protected information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Microsoft Dynamics 365 (on-premises) (affected versions not specified) Description: The issue is related to the failure to protect the web page structure in Microsoft Dynamics 365, allowing for potential cross-site scripting attacks. An attacker could exploit this to perform remote actions. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Microsoft Dynamics 365 (on-premises) (affected versions not specified) Description: A cross-site scripting issue exists due to improper sanitization of specially crafted web requests. An authenticated attacker could exploit this by sending a crafted request, allowing cross-site scripting attacks on affected systems. This could enable the attacker to read unauthorized content, use the victim's identity to take actions within Dynamics Server, and inject malicious content into the user's browser. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Microsoft SharePoint Server (affected versions not specified) Description: A cross-site scripting issue exists due to improper sanitization of specially crafted web requests. This could allow a remote attacker to perform cross-site scripting attacks, potentially enabling them to read unauthorized content, use the victim's identity to take actions on the SharePoint site, change permissions, delete content, and inject malicious content into the user's browser. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CKEditor 4 WSC plugin versions through 5.5.7.5 **Description** A cross-site scripting (XSS) issue allows remote attackers to run arbitrary web script inside an IFRAME element by injecting a crafted HTML element into the editor. **Recommendations** For CKEditor 4 WSC plugin versions through 5.5.7.5, consider disabling the WSC plugin until a patch is available to prevent exploitation of the XSS vulnerability.