Stefan Pietsch

**Name of the Vulnerable Software and Affected Versions** Micro Focus GroupWise Web versions prior to 18.4.2 **Description** A vulnerability has been identified in the GW Web component, which makes a request to the Post Office Agent containing sensitive information in the query parameters. This sensitive information could be logged by any intervening HTTP proxies. **Recommendations** For versions prior to 18.4.2, update to version 18.4.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the GW Web component to minimize the risk of exploitation. Avoid using sensitive information in query parameters for the Post Office Agent request until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** OpenEMR version 6.0.0 before patch 3 **Description** An authenticated SQL injection issue in the calendar search function allows an attacker to read data from all tables of the database via the `provider id` parameter, as demonstrated by the "/interface/main/calendar/index.php?module=PostCalendar&func=search" URI. **Recommendations** For OpenEMR version 6.0.0 before patch 3, apply patch 3 to resolve the issue. As a temporary workaround, consider restricting access to the calendar search function until a patch is available. Avoid using the `provider id` parameter in the affected API endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Rocket.Chat versions 3.7.1 through 3.9.1 Description: An email address enumeration issue exists in the password reset function. This allows for the potential identification of email addresses associated with user accounts. Recommendations: For Rocket.Chat versions 3.7.1 through 3.9.1, update to a version later than 3.9.1 to resolve the issue. As a temporary workaround, consider restricting access to the password reset function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** MensaMax (aka com.breustedt.mensamax) version 4.3 **Description** The issue allows man-in-the-middle attackers to eavesdrop on authentication information between the application and the server due to cleartext transmission of sensitive information. **Recommendations** For MensaMax version 4.3, consider implementing encryption for sensitive information transmission to prevent eavesdropping. As a temporary workaround, restrict the use of the application on unsecured networks to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MensaMax (aka com.breustedt.mensamax) version 4.3 **Description** An issue was discovered in the MensaMax application, where the use of a hard-coded DES cryptographic key allows an attacker who decodes the application to decrypt transmitted data, such as the `username` and `password`. **Recommendations** For MensaMax version 4.3, consider disabling the transmission of sensitive data until a patch is available. Restrict access to the application's data to minimize the risk of exploitation. Avoid using the application for sensitive transactions until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.