Wooseokdotkim

**Name of the Vulnerable Software and Affected Versions** Jenkins versions 2.483 through 2.567 Jenkins LTS versions 2.492.1 through 2.555.2 **Description** Insufficient escaping of user-provided descriptions for generic offline causes allows for stored cross-site scripting (XSS), where malicious scripts are permanently stored on the server and executed in the browser of other users. This issue is exploitable by attackers possessing Agent/Configure permissions via the 'POST config.xml' API endpoint. **Recommendations** Update Jenkins to a version later than 2.567. Update Jenkins LTS to a version later than 2.555.2.

**Name of the Vulnerable Software and Affected Versions** GLPI versions 0.78 through 10.0.24 GLPI versions 0.78 through 11.0.6 **Description** A technician can delete arbitrary files from the filesystem, provided the webserver has write permissions for those files. **Recommendations** Update to version 10.0.25. Update to version 11.0.7.

**Name of the Vulnerable Software and Affected Versions** Roundcube Webmail versions 1.6.x through 1.6.15 Roundcube Webmail versions 1.7.x prior to 1.7 **Description** Insufficient HTML sanitization allows for Cascading Style Sheets (CSS) injection. This occurs when an SVG document contains an `animate` element utilizing the `attributeName` attribute. **Recommendations** Update versions 1.6.x to 1.6.16. Update versions 1.7.x to 1.7.

**Name of the Vulnerable Software and Affected Versions** Apache Airflow versions prior to 3.2.0 **Description** Dag Authors can craft a malicious XCom payload that allows them to execute arbitrary code within the webserver context, bypassing the standard restriction that prevents them from executing code in that environment. **Recommendations** Upgrade to Apache Airflow 3.2.0.

Name of the Vulnerable Software and Affected Versions phpMyFAQ versions prior to 4.1.1 Description prior to version 4.1.1, an unauthenticated attacker can submit a guest FAQ with an email address containing raw HTML that is accepted as valid by PHP's FILTER VALIDATE EMAIL function. This email is stored in the database without sanitization and rendered in the admin FAQ editor template using Twig's |raw filter, bypassing auto-escaping. This allows for the execution of arbitrary scripts in the administrator's browser when reviewing the FAQ, potentially leading to session cookie theft and full admin account takeover. Recommendations Update to version 4.1.1 or later.

**Name of the Vulnerable Software and Affected Versions** ingress-nginx versions prior to v1.13.9, v1.14.5, and v1.15.1 **Description** A security issue exists in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller and the disclosure of Secrets accessible to the controller. In a default installation, the controller has access to all Secrets cluster-wide. An estimated 100k–1M+ environments globally may be affected, particularly enterprise and cloud setups. Exploitation requires low-privilege Kubernetes API access (e.g., the ability to create Ingress resources). The vulnerability allows attackers to inject malicious nginx configuration via annotation combinations, potentially leading to remote code execution (RCE). The `ingress-nginx` controller is vulnerable to configuration injection through specially crafted Ingress annotations. Attackers can leverage this to execute arbitrary code within the controller's context and potentially access sensitive information, including cluster Secrets. **Recommendations** Upgrade to ingress-nginx version 1.13.9 or later, 1.14.5 or later, or 1.15.1 or later.

**Name of the Vulnerable Software and Affected Versions** Xpdf versions prior to 4.07 **Description** An out-of-bounds array write issue exists in Xpdf due to insufficient validation of the "N" field within ICCBased color spaces. This can lead to a crash or potentially allow for arbitrary code execution. **Recommendations** Update to version 4.07 or later.

**Name of the Vulnerable Software and Affected Versions** GPAC versions up to and including 26.02.0 **Description** GPAC is an open-source multimedia framework. A stack buffer overflow occurs during NHML file parsing in `src/filters/dmx nhml.c`. The `xmlHeaderEnd` XML attribute’s value from `att->value` is copied into the `szXmlHeaderEnd` buffer (size 1000 bytes) using the `strcpy()` function without length validation. If the input exceeds 1000 bytes, it overwrites the stack buffer boundary. **Recommendations** Update to a version later than 26.02.0.

**Name of the Vulnerable Software and Affected Versions** Node.js versions 20.x through 25.x **Description** An incomplete fix allows bypassing of intended write restrictions when using the Permission Model with restricted `--allow-fs-write`. Specifically, the `FileHandle.chmod()` and `FileHandle.chown()` methods within the promises API lack the necessary permission checks, while their callback-based counterparts (`fs.fchmod()`, `fs.fchown()`) were patched correctly. This allows code running with restricted permissions to modify file permissions and ownership on already-open file descriptors. The vulnerable API endpoints are `FileHandle.chmod()` and `FileHandle.chown()`. The vulnerable variables are file permissions and ownership. **Recommendations** Update to a version beyond 25.x when available.

**Name of the Vulnerable Software and Affected Versions** Versions prior to 2.3 **Description** An incomplete fix allows for a potential out-of-bounds read within the `gst wavparse adtl chunk()` function. The initial patch included a size validation check, however, it did not fully account for the offset calculation using `GST ROUND UP 2(lsize)`. Specifically, when `lsize` is an odd number, the parser can advance beyond the validated boundaries, leading to an out-of-bounds read. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 3.24.0 **Description** FreeRDP is an implementation of the Remote Desktop Protocol. The `gdi surface bits()` function handles SURFACE BITS COMMAND messages from the RDP server. When using NSCodec, the `bmp.width` and `bmp.height` values are not validated against desktop dimensions. A malicious RDP server can send crafted `bmp.width` and `bmp.height` values exceeding the expected surface size. This can lead to a heap buffer overflow because these values are used during bitmap decoding and memory operations without proper bounds checking. An attacker controlling the pixel data can potentially overwrite adjacent heap memory. **Recommendations** Versions prior to 3.24.0 should be updated to version 3.24.0 or later.