Victor Pereira

**Name of the Vulnerable Software and Affected Versions** openSUSE paste versions prior to b57b9f87e303a3db9465776e657378e96845493b **Description** An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') issue allows remote attackers to place Javascript into SVG files. **Recommendations** For versions prior to b57b9f87e303a3db9465776e657378e96845493b, as a temporary workaround, consider restricting access to SVG files until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SUSE Open Build Service versions prior to 2.10.13 **Description** A vulnerability in SUSE Open Build Service allows remote attackers to reference external entities in certain operations, potentially gaining information from the server that can be abused to escalate to Admin privileges on OBS. **Recommendations** For versions prior to 2.10.13, update to version 2.10.13 or later to resolve the issue. As a temporary workaround, consider restricting access to certain operations that may be vulnerable to XML External Entity Reference attacks until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** open-build-service versions prior to 7cc32c8e2ff7290698e101d9a80a9dc29a5500fb **Description** A Improper Neutralization of Input During Web Page Generation issue allows remote attackers to store arbitrary JS code, causing XSS. **Recommendations** For versions prior to 7cc32c8e2ff7290698e101d9a80a9dc29a5500fb, update to a version that includes the fix for this issue to prevent remote attackers from storing arbitrary JS code and causing XSS.

**Name of the Vulnerable Software and Affected Versions** SaltStack (affected versions not specified) **Description** The issue allows remote users to decrypt communications due to a problem with SaltStack RSA Key Generation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Horde Groupware Webmail Edition (affected versions not specified) **Description** The issue concerns Horde Groupware Webmail Edition, which has problems with CSRF and XSS when saving a search as a virtual address book. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Horde Groupware Web Mail version 5.1.2 **Description** The issue concerns a CSRF problem that affects requests to change permissions. **Recommendations** For version 5.1.2, update to a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** evince (affected versions not specified) **Description** The issue is related to a missing check on the number of pages, which can lead to a segmentation fault. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** gSOAP versions 2.7.x through 2.8.47 **Description** The issue allows remote attackers to execute arbitrary code or cause a denial of service via a large XML document. This can lead to a stack-based buffer overflow and application crash. **Recommendations** For gSOAP versions 2.7.x through 2.8.47, update to version 2.8.48 or later to resolve the issue. As a temporary workaround, consider restricting the size of XML documents processed by the soap get function to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** openldap version 2.4 **Description** An off-by-one error was found in openldap when processing DNS SRV messages, potentially leading to a crash. This issue affects configurations using the dnssrv backend, where an attacker could exploit the service with crafted DNS responses, causing it to crash. **Recommendations** For openldap version 2.4, as a temporary workaround, consider disabling the dnssrv backend until a patch is available. Restrict access to the service to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Python Pip versions prior to 1.5 **Description** The issue concerns the mirroring support in Python Pip, which uses insecure DNS querying and authenticity checks. This allows attackers to perform man-in-the-middle attacks. **Recommendations** For versions prior to 1.5, update to version 1.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Qemu versions 1.1.2+dfsg through 2.1+dfsg **Description** The issue is related to a buffer overrun that could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. **Recommendations** For Qemu versions 1.1.2+dfsg through 2.1+dfsg, at the moment, there is no information about a newer version that contains a fix for this vulnerability.