Yiming Xiang

**Name of the Vulnerable Software and Affected Versions** Microsoft Defender for IoT (affected versions not specified) **Description** The issue is related to insufficient access control in Microsoft Defender for IoT, which could allow an attacker to elevate their privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (On Premises) (affected versions not specified) **Description** The issue is related to insufficient input validation in Microsoft Dynamics 365 Business Central and Microsoft Dynamics NAV, which can be exploited by a remote attacker to execute arbitrary code. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Azure CycleCloud (affected versions not specified) **Description** The issue is related to insufficient access controls in Azure CycleCloud, a tool for organizing and managing high-performance computing (HPC) environments. This can allow a remote attacker to elevate their privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Skype for Business Server and Microsoft Lync Server (affected versions not specified) **Description** The issue is related to insufficient input validation, which can be exploited by a remote attacker to execute arbitrary code in the target system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NATS Server versions 2.2.0 through 2.7.3 NATS Streaming Server versions 0.15.0 through 0.24.2 **Description** The issue allows for Directory Traversal with write access via an element in a ZIP archive for JetStream streams, enabling arbitrary file write. This is due to inadequate checks on filenames within the archive file, permitting a "Zip Slip" attack during stream restore. The estimated number of potentially affected devices is not specified. **Recommendations** For NATS Server versions 2.2.0 through 2.7.3, upgrade to at least version 2.7.4. For NATS Streaming Server versions 0.15.0 through 0.24.2, upgrade to at least version 0.24.3. As a temporary workaround, consider disabling JetStream for untrusted users. If only one NATS account uses JetStream and all users with access to the JetStream API are trusted, apply sandboxing techniques, such as running NATS as an unprivileged user with restricted access, to prevent exploit.

Name of the Vulnerable Software and Affected Versions: Apache AsterixDB versions between commits 580b81aa5e8888b8e1b0620521a1c9680e54df73 and 28c0ee84f1387ab5d0659e9e822f4e3923ddc22d Description: When loading a UDF, a specially crafted zip file could allow files to be placed outside of the UDF deployment directory. This issue did not affect any released versions of Apache AsterixDB. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Spring Cloud Config versions 2.2.x prior to 2.2.2 Spring Cloud Config versions 2.1.x prior to 2.1.7 Spring Cloud Config older unsupported versions **Description** The issue allows applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user can send a request using a specially crafted URL that can lead to a directory traversal attack. **Recommendations** For Spring Cloud Config versions 2.2.x prior to 2.2.2, update to version 2.2.2 or later. For Spring Cloud Config versions 2.1.x prior to 2.1.7, update to version 2.1.7 or later. For Spring Cloud Config older unsupported versions, consider upgrading to a supported version to mitigate the risk.