Slonser

**Name of the Vulnerable Software and Affected Versions** Microsoft Exchange Server (affected versions not specified) **Description** The issue is related to a spoofing vulnerability in Microsoft Exchange Server, which allows attackers to affect the system. This vulnerability can be exploited to conduct spoofing attacks, making an attacker's email address appear legitimate to the victim. The vulnerability is caused by the current implementation of the P2 FROM header verification. It is particularly useful for spear phishing and other forms of email-based deception. Over 1 million potential targets have been found. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** mysql2 versions prior to 3.9.4 **Description** The issue is related to the `readCodeFor` function in the mysql2 package, which is vulnerable to Remote Code Execution (RCE) due to improper validation of the `supportBigNumbers` and `bigNumberStrings` values. This allows a remote attacker to execute arbitrary code. **Recommendations** For versions prior to 3.9.4, update to version 3.9.4 or later to resolve the issue. As a temporary workaround, consider disabling the `readCodeFor` function until a patch is available. Restrict access to the mysql2 package to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** mysql2 versions prior to 3.9.3 **Description** The issue is related to Improper Input Validation through the `keyFromFields` function, resulting in cache poisoning. An attacker can inject a colon `:` character within a value of the attacker-crafted key. **Recommendations** For versions prior to 3.9.3, update to version 3.9.3 or later to resolve the issue. As a temporary workaround, consider restricting the input to the `keyFromFields` function to prevent the injection of malicious characters.

**Name of the Vulnerable Software and Affected Versions** sanitize-html versions prior to 2.12.1 **Description** The issue allows for Information Exposure when the style attribute is permitted on the backend, enabling an attacker to enumerate files in the system, including project dependencies. This could be exploited to gather details about the file system structure and dependencies of the targeted server. **Recommendations** For versions prior to 2.12.1, update to version 2.12.1 or later to resolve the issue. As a temporary workaround, consider disabling the style attribute when using sanitize-html on the backend to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** net/mail package in Go (affected versions not specified) **Description** The issue is related to the ParseAddressList function, which incorrectly handles comments within display names. This can lead to different trust decisions being made by programs using different parsers, potentially allowing a remote attacker to perform spoofing attacks by providing specially crafted input data. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 119.0.6045.105 **Description** The issue is related to an inappropriate implementation in the Payments component of Google Chrome, allowing a remote attacker to bypass XSS preventions via a malicious file. This can enable the attacker to circumvent security restrictions and gain unauthorized access to protected information. The Chromium security severity of this issue is rated as High. **Recommendations** For Google Chrome versions prior to 119.0.6045.105, update to version 119.0.6045.105 or later to resolve the issue. As a temporary workaround, consider restricting access to the Payments component until a patch is applied. Avoid using potentially vulnerable features in the affected versions until the issue is resolved.