Thomas Chauchefoin

**Name of the Vulnerable Software and Affected Versions** Fickling versions up to and including 0.1.6 **Description** Fickling, a Python pickling decompiler and static analyzer, incorrectly classifies pickles utilizing Python’s `runpy.run path()` or `runpy.run module()` as SUSPICIOUS instead of OVERTLY MALICIOUS. This misclassification can occur when a user relies on Fickling’s output to determine the safety of pickle deserialization, potentially leading to the execution of attacker-controlled code. This issue impacts any workflow or product that uses Fickling as a security gate for pickle deserialization. **Recommendations** Versions prior to 0.1.7 should be updated to version 0.1.7 or later.

**Name of the Vulnerable Software and Affected Versions** DotNetZip versions 1.16.0 and earlier ABB Drive Composer versions prior to 2.9.1 **Description** The issue allows a remote attacker to execute arbitrary code via the src/Zip.Shared/ZipEntry.Extract.cs component. This affects products that are no longer supported by the maintainer. The problem has been reportedly exploited in real-world attacks. **Recommendations** For DotNetZip versions 1.16.0 and earlier, consider disabling the `ZipEntry.Extract.cs` component until a patch is available. For ABB Drive Composer versions prior to 2.9.1, update to version 2.9.1 for protection.

**Name of the Vulnerable Software and Affected Versions** Zscaler Client Connector for macOS versions prior to 3.6 **Description** The Zscaler Client Connector for macOS did not sufficiently validate RPC clients, allowing a local adversary without sufficient privileges to potentially shutdown the Zscaler tunnel by exploiting a race condition. **Recommendations** For versions prior to 3.6, update to version 3.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the RPC client validation mechanism to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Visual Studio Code (affected versions not specified) **Description** The issue is related to insufficient input validation in Visual Studio Code, allowing an attacker to execute arbitrary code using a specially crafted file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Gogs versions 0.13.0 and earlier **Description** The issue is related to argument injection during the tagging of a new release. This could allow a remote attacker to disclose protected information. Unprivileged user accounts with at least one SSH key can read arbitrary files on the system, potentially leaking configuration files with database credentials, such as `[database]` and `[security] SECRET KEY`, as well as exfiltrating TLS certificates, other users' repositories, and the Gogs database when the SQLite driver is enabled. **Recommendations** For Gogs versions 0.13.0 and earlier, upgrade to version 0.13.1 or the latest 0.14.0+dev to resolve the issue. As a temporary measure, only grant access to trusted users to your Gogs instance on affected versions, as there is no viable workaround available.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 6.1 WordPress versions 6.1 through 6.2 WordPress versions 6.1 through 6.9.1 **Description** WordPress is susceptible to an unauthenticated blind Server-Side Request Forgery (SSRF) issue within the pingback feature. This is due to a Time-of-Check-to-Time-of-Use (TOCTOU) race condition occurring between the validation checks and the HTTP request. This allows attackers to access internal hosts that are explicitly prohibited. Exploitation can involve DNS rebinding. Potential impacts include internal reconnaissance and port scanning on ports such as 80, 443, and 8080, and access to cloud metadata if DNS redirects to addresses like 169.254.169.254. Remote Code Execution (RCE) is unlikely without chaining this issue with other internal vulnerabilities. The `/xmlrpc.php` endpoint is involved in this issue. The `pingback` feature is the source of the problem. **Recommendations** For WordPress versions prior to 6.1, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For WordPress versions 6.1 through 6.2, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For WordPress versions 6.1 through 6.9.1, disable XML-RPC via plugin or .htaccess. As an alternative, uncheck "Allow link notifications from other blogs (pingbacks and trackbacks) on new posts" in the Discussion Settings to disable pingbacks.

**Name of the Vulnerable Software and Affected Versions** Visual Studio Code versions prior to 1.67.1 **Description** The vulnerability in Visual Studio Code is related to insufficient input validation. Exploitation of this issue may allow a remote attacker to execute arbitrary code. **Recommendations** For versions prior to 1.67.1, update to version 1.67.1 or later to resolve the issue. As a temporary workaround, consider restricting access to potentially vulnerable features or modules in Visual Studio Code until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Composer (affected versions not specified) **Description** The issue is related to the `VcsDriver::getFileContent` method in Composer, a dependency manager for PHP. If a user can control the `$file` or `$identifier` argument, it may lead to a code injection vulnerability. This vulnerability can be exploited on platforms like packagist.org, where the `readme` field in composer.json can be used to inject parameters into hg/Mercurial via the `$file` argument or into git via the `$identifier` argument. To the best of our knowledge, this vulnerability was not actively exploited. The vulnerability has been patched on packagist.org and Private Packagist within a day of the vulnerability report. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zabbix Frontend (affected versions not specified) **Description** The issue is related to improper access control in the setup.php file of Zabbix Frontend, allowing unauthenticated users to access certain setup steps that should only be accessible by super-administrators. This could potentially enable a malicious actor to change the configuration of Zabbix Frontend. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Visual Studio Code (affected versions not specified) **Description** The issue is related to incorrect code generation management in the Visual Studio Code editor. Exploitation of this issue may allow an attacker to execute arbitrary code. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cachet versions prior to 2.5.1 **Description** Cachet is an open source status page system. Authenticated users, regardless of their privileges, can trick Cachet and install the instance again, leading to arbitrary code execution on the server. This issue was addressed by improving the middleware `ReadyForUse`, which now performs a stricter validation of the instance name. As a workaround, only allow trusted source IP addresses to access the administration dashboard. **Recommendations** For versions prior to 2.5.1, update to version 2.5.1 to resolve the issue. As a temporary workaround, consider restricting access to the administration dashboard by only allowing trusted source IP addresses.

**Name of the Vulnerable Software and Affected Versions** Cachet versions prior to 2.5.1 **Description** Cachet is an open source status page system. Authenticated users, regardless of their privileges, can exploit a new line injection in the configuration edition feature and gain arbitrary code execution on the server. This issue was addressed by improving `UpdateConfigCommandHandler` and preventing the use of new lines characters in new configuration values. **Recommendations** For versions prior to 2.5.1, update to version 2.5.1 to resolve the issue. As a temporary workaround, only allow trusted source IP addresses to access the administration dashboard.

**Name of the Vulnerable Software and Affected Versions** Smartstore (aka SmartStoreNET) versions through 4.1.1 **Description** An issue was discovered where the Views/Boards/Partials/ ForumPost.cshtml file does not call `HtmlUtils.SanitizeHtml` on certain text for a forum post, potentially leading to issues with unsanitized text. **Recommendations** For Smartstore (aka SmartStoreNET) versions through 4.1.1, consider modifying the Views/Boards/Partials/ ForumPost.cshtml file to call `HtmlUtils.SanitizeHtml` on the affected text to prevent potential issues with unsanitized input. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Smartstore (aka SmartStoreNET) versions through 4.1.1 **Description** An issue was discovered where Views/PrivateMessages/View.cshtml does not call `HtmlUtils.SanitizeHtml` on a private message, potentially leading to issues with private message handling. **Recommendations** For Smartstore (aka SmartStoreNET) versions through 4.1.1, consider modifying the Views/PrivateMessages/View.cshtml to call `HtmlUtils.SanitizeHtml` on private messages as a temporary workaround until a patch is available.

Name of the Vulnerable Software and Affected Versions: Grav versions prior to 1.7.11 Description: The issue concerns the Twig processing of static pages in Grav, a file-based Web-platform. Any administrative user allowed to create or edit pages can enable Twig processing in the front matter. Since the Twig processor runs unsandboxed, this behavior can be exploited to gain arbitrary code execution and elevate privileges on the instance. Recommendations: For versions prior to 1.7.11, update to version 1.7.11 to address the issue. As a temporary workaround, consider blocking access to the `/admin` path from untrusted sources to reduce the probability of exploitation. After updating, consider configuring the `system.twig.safe functions` and `system.twig.safe filters` options to manually allow arbitrary PHP functions and filters.

**Name of the Vulnerable Software and Affected Versions** ppp versions prior to 2.4.5-5ubuntu1.4 ppp versions prior to 2.4.5-5.1ubuntu2.3+esm2 ppp versions prior to 2.4.7-1+2ubuntu1.16.04.3 ppp versions prior to 2.4.7-2+2ubuntu1.3 ppp versions prior to 2.4.7-2+4.1ubuntu5.1 ppp versions prior to 2.4.7-2+4.1ubuntu6 **Description** The issue is related to the incorrect handling of module loading in the modprobe child process, allowing a local non-root attacker to exploit the MODPROBE OPTIONS environment variable and read arbitrary root files. This is a privilege escalation vulnerability. **Recommendations** For versions prior to 2.4.5-5ubuntu1.4, update to version 2.4.5-5ubuntu1.4 or later. For versions prior to 2.4.5-5.1ubuntu2.3+esm2, update to version 2.4.5-5.1ubuntu2.3+esm2 or later. For versions prior to 2.4.7-1+2ubuntu1.16.04.3, update to version 2.4.7-1+2ubuntu1.16.04.3 or later. For versions prior to 2.4.7-2+2ubuntu1.3, update to version 2.4.7-2+2ubuntu1.3 or later. For versions prior to 2.4.7-2+4.1ubuntu5.1, update to version 2.4.7-2+4.1ubuntu5.1 or later. For versions prior to 2.4.7-2+4.1ubuntu6, update to version 2.4.7-2+4.1ubuntu6 or later.

**Name of the Vulnerable Software and Affected Versions** Zabbix (affected versions not specified) **Description** The issue is related to the SAML SSO authentication in Zabbix. When SAML SSO authentication is enabled, a malicious actor can modify session data because the user login stored in the session is not verified. This can allow an unauthenticated actor to escalate privileges and gain admin access to Zabbix Frontend. The attack requires SAML authentication to be enabled, and the actor must know the username of a Zabbix user or use the guest account, which is disabled by default. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** wp-google-maps versions prior to 7.11.18 **Description** The issue concerns the wp-google-maps plugin for WordPress, where the REST API in includes/class.rest-api.php does not properly sanitize field names before executing a SELECT statement. **Recommendations** For versions prior to 7.11.18, update to version 7.11.18 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** elFinder versions prior to 2.1.48 **Description** The issue is related to a command injection vulnerability in the PHP connector of elFinder. **Recommendations** For versions prior to 2.1.48, update to version 2.1.48 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Jenkins Job Import Plugin versions 2.1 and earlier Description: The issue allows attackers with control over the HTTP server queried in preparation of job import to read arbitrary files and perform a denial of service attack. This is due to an XML external entity processing vulnerability in the src/main/java/org/jenkins/ci/plugins/jobimport/client/RestApiClient.java file. Recommendations: For Jenkins Job Import Plugin versions 2.1 and earlier, update to a version later than 2.1 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.