Shellkraft

**Name of the Vulnerable Software and Affected Versions** Wondershare Filmora version 14.5.16 **Description** A critical vulnerability has been found in Wondershare Filmora, affecting some unknown functionality in the library CRYPTBASE.dll of the file NFWCHK.exe of the component Installer. The manipulation leads to uncontrolled search path. Attacking locally is a requirement. The complexity of an attack is rather high, and the exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond. **Recommendations** For Wondershare Filmora version 14.5.16, as a temporary workaround, consider restricting access to the vulnerable library CRYPTBASE.dll until a patch is available. Additionally, avoid using the affected Installer component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Discord version 1.0.9188 **Description** A critical issue has been found in Discord, affecting some unknown functionality in the library WINSTA.dll. This issue leads to an uncontrolled search path. The attack must be approached locally and has a high complexity, making exploitation difficult. The exploit has been disclosed to the public. **Recommendations** For Discord version 1.0.9188, consider restricting access to the WINSTA.dll library as a temporary mitigation measure until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Patch My PC Home Updater versions up to 5.1.3.0 **Description** A critical issue affects some unknown processing in various system libraries, including `advapi32.dll`, `BCrypt.dll`, `comctl32.dll`, `crypt32.dll`, `dwmapi.dll`, `gdi32.dll`, `gdiplus.dll`, `imm32.dll`, `iphlpapi.dll`, `kernel32.dll`, `mscms.dll`, `msctf.dll`, `ntdll.dll`, `ole32.dll`, `oleaut32.dll`, `PresentationNative cor3.dll`, `secur32.dll`, `shcore.dll`, `shell32.dll`, `sspicli.dll`, and `System.IO`. The manipulation leads to an uncontrolled search path. It is possible to launch the attack on the local host. The complexity of an attack is rather high, and the exploitation is known to be difficult. **Recommendations** For Patch My PC Home Updater versions up to 5.1.3.0, at the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: Webkul Krayin CRM versions up to 2.1.0 Description: A vulnerability has been found in the SVG File Handler component of Webkul Krayin CRM, affecting an unknown functionality of the file /admin/settings/users/edit/. The manipulation leads to cross site scripting. The attack can be launched remotely. Recommendations: For Webkul Krayin CRM versions up to 2.1.0, consider disabling the SVG File Handler component until a fix is available. As a temporary workaround, restrict access to the /admin/settings/users/edit/ endpoint to minimize the risk of exploitation. Avoid using the affected functionality of the SVG File Handler component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: SuiteCRM versions prior to 7.14.6 SuiteCRM versions prior to 8.7.1 Description: The issue arises due to insufficient input validation and sanitization of the `Publish Key` field within the SuiteCRM application, allowing an attacker to inject malicious JavaScript code. This can be exploited to steal CSRF tokens and perform unauthorized actions, such as creating new administrative users without proper authentication. When an attacker injects a malicious script, it gets executed within the context of an authenticated user's session. The injected script then leverages the captured CSRF token to forge requests that create new administrative users, effectively compromising the integrity and security of the CRM instance. Recommendations: For versions prior to 7.14.6, upgrade to version 7.14.6 or later. For versions prior to 8.7.1, upgrade to version 8.7.1 or later. As a temporary workaround, consider restricting access to the `Publish Key` field in the Edit Profile page until a patch is available.

**Name of the Vulnerable Software and Affected Versions** GLPI versions prior to 10.0.13 **Description** An unauthenticated user can provide a malicious link to a GLPI administrator in order to exploit a reflected XSS vulnerability. The XSS will only trigger if the administrator navigates through the debug bar. **Recommendations** For versions prior to 10.0.13, update to version 10.0.13 or later to resolve the issue. As a temporary workaround, consider restricting access to the debug bar until the update is applied.