Stefan Walter

**Name of the Vulnerable Software and Affected Versions** Microsoft Windows (affected versions not specified) **Description** Improper access control in the Windows SMB Client, specifically within the `mrxsmb.sys` driver, allows an authorized or unauthenticated remote attacker to elevate privileges. The issue stems from weaknesses in authentication relaying, including NTLM reflection and Reflective Kerberos Relay attacks. Attackers can use authentication coercion techniques, such as forcing a request to a UNC path, to make a host connect to a malicious system. By manipulating `CREDENTIAL TARGET INFORMATIONW` and removing NTLM capabilities from SPNEGO to force Kerberos usage, an attacker can relay a Kerberos ticket back to the same host. This process allows the attacker to gain a session as the computer account (`DOMAINMACHINE$`) and ultimately escalate privileges to `NT AUTHORITYSYSTEM`, granting full control over the compromised device. Exploitation can occur via standard RPC and SMB services and may be triggered through social engineering or drive-by downloads. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PONTON X/P Messenger versions prior to 3.11.2 **Description** An issue was discovered due to path traversal in `private/SchemaSetUpload.do` for uploaded ZIP files. This allows an executable script to be uploaded by web application administrators, giving the attacker remote code execution on the underlying server via an `imgs/*.jsp` URI. **Recommendations** For versions prior to 3.11.2, update to version 3.11.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the `private/SchemaSetUpload.do` endpoint and limiting the ability to upload ZIP files to prevent potential exploitation.

**Name of the Vulnerable Software and Affected Versions** PONTON X/P Messenger versions prior to 3.11.2 **Description** The navigation tree in the web application is susceptible to XSS, allowing the injection of JavaScript into its nodes. This issue can be exploited by users with the role of Configuration Administrator or Administrator, who have the capability to create such nodes. **Recommendations** For versions prior to 3.11.2, update to version 3.11.2 or later to resolve the issue. As a temporary workaround, consider restricting the creation of new nodes in the navigation tree to minimize the risk of exploitation. Additionally, limiting the privileges of users with the roles Configuration Administrator or Administrator may also help mitigate the risk until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** PONTON X/P Messenger versions prior to 3.11.2 **Description** An issue was discovered in several functions, which are vulnerable to reflected XSS. This is demonstrated by various API endpoints, such as "private/index.jsp?partners/ShowNonLocalPartners.do?localID=", "private/index.jsp", "private/index.jsp?database/databaseTab.jsp", "private/index.jsp?activation/activationMainTab.jsp", "private/index.jsp?communication/serverTab.jsp", and "private/index.jsp?emailNotification/notificationTab.jsp". **Recommendations** For versions prior to 3.11.2, update to version 3.11.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoints until a patch is available. Avoid using the vulnerable functions in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Team Password Manager versions prior to 10.135.236 **Description** The issue is related to an insufficient password reset mechanism in the Team Password Manager application. Exploitation of this issue may allow a remote attacker to gain unauthorized access to protected information by resetting passwords. **Recommendations** For versions prior to 10.135.236, update to version 10.135.236 or later to resolve the issue. As a temporary workaround, consider restricting access to the password reset feature until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** udisks2 (affected versions not specified) **Description** The issue is related to the Udisks program for querying and managing storage devices, specifically for ext2/3/4 file systems. It is caused by the default configuration to stop the machine in case of an error. An attacker can exploit this to cause a denial of service using a specially crafted image. This flaw allows an attacker to input a specially crafted image file or USB, leading to a kernel panic. The highest threat from this issue is to system availability. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.