Theart42

Name of the Vulnerable Software and Affected Versions: Jamovi versions prior to 1.6.19 Description: A cross-site scripting (XSS) issue affects Jamovi, where the column-name is vulnerable in the ElectronJS Framework. An attacker can create a .omv document containing a malicious payload. When this document is opened by a victim, the payload is triggered. Recommendations: For Jamovi versions prior to 1.6.19, update to version 1.6.19 or later to resolve the issue. As a temporary workaround, consider avoiding the use of user-provided .omv documents until the update is applied.

**Name of the Vulnerable Software and Affected Versions** MineTime versions prior to 1.9 **Description** The issue allows arbitrary command execution via the notes field in a meeting, which could lead to remote code execution (RCE) via a meeting invite. **Recommendations** For versions prior to 1.9, update to version 1.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the notes field in meetings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Ignite Realtime Spark version 2.8.3 **Description** A issue was discovered where a chat message can include an IMG element with a SRC attribute referencing an external host's IP address. Upon access to this external host, the (NT)LM hashes of the user are sent with the HTTP request, allowing an attacker to collect these hashes, crack them, and potentially compromise the computer. This can occur if the user clicks on the message or if the ROAR plugin is configured for automatic access. **Recommendations** For Ignite Realtime Spark version 2.8.3, consider disabling automatic access in the ROAR plugin to minimize the risk of exploitation. Restrict user interaction with chat messages that include external IMG elements until a fix is available.