Yokoacc

**Name of the Vulnerable Software and Affected Versions** Zabbix (affected versions not specified) **Description** The regular expression used for validating host and event action script input allows bypass of the validation check when multiline mode is enabled. Specifically, the use of anchors (`^` and `$`) in administrator-defined input validation can be circumvented by injecting a newline character. This allows authenticated users to inject and execute shell commands. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Safari versions prior to 18 macOS versions prior to Sequoia 15 **Description** The issue was addressed with improved UI. Visiting a malicious website may lead to address bar spoofing. **Recommendations** For Safari versions prior to 18, update to Safari 18 to resolve the issue. For macOS versions prior to Sequoia 15, update to macOS Sequoia 15 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Remote Desktop Manager versions 2023.3.9.3 and earlier **Description** The issue allows an attacker to execute code via the `DYLIB INSERT LIBRARIES` environment variable. This is a code injection problem in Remote Desktop Manager on macOS. **Recommendations** For Remote Desktop Manager versions 2023.3.9.3 and earlier, consider restricting the use of the `DYLIB INSERT LIBRARIES` environment variable to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Safari versions prior to 13.1.2 macOS Big Sur versions prior to 11.0.1 **Description** An inconsistent user interface issue was addressed with improved state management. Visiting a malicious website may lead to address bar spoofing. **Recommendations** For Safari versions prior to 13.1.2, update to Safari 13.1.2 or later to resolve the issue. For macOS Big Sur versions prior to 11.0.1, update to macOS Big Sur 11.0.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 11.4 Apple Safari versions prior to 11.1.1 Apple iCloud versions prior to 7.5 on Windows Apple iTunes versions prior to 12.7.5 on Windows Apple tvOS versions prior to 11.4 **Description** The issue involves the WebKit component and allows remote attackers to spoof the address bar via a crafted web site. This can be achieved by manipulating a website to deceive users about the actual URL being visited. **Recommendations** For iOS versions prior to 11.4, update to version 11.4 or later. For Safari versions prior to 11.1.1, update to version 11.1.1 or later. For iCloud versions prior to 7.5 on Windows, update to version 7.5 or later. For iTunes versions prior to 12.7.5 on Windows, update to version 12.7.5 or later. For tvOS versions prior to 11.4, update to version 11.4 or later.

**Name of the Vulnerable Software and Affected Versions** Faveo version 1.9.3 **Description** The issue allows for CSRF, potentially resulting in obtaining admin privileges. The affected endpoint is "public/rolechangeadmin". **Recommendations** For Faveo version 1.9.3, update to a version that includes a fix for this issue to prevent CSRF attacks. As a temporary workaround, consider implementing CSRF protection measures to restrict access to the "public/rolechangeadmin" endpoint.

**Name of the Vulnerable Software and Affected Versions** HelpDEZk version 1.1.1 **Description** The issue allows for remote execution of arbitrary PHP code through a CSRF vulnerability. It is specifically found in the "admin/home#/logos/" endpoint. **Recommendations** For HelpDEZk version 1.1.1, as a temporary workaround, consider restricting access to the "admin/home#/logos/" endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** HelpDEZk version 1.1.1 **Description** The issue allows for obtaining admin privileges through CSRF in the "admin/home#/person/" endpoint. **Recommendations** For HelpDEZk version 1.1.1, update to a version that includes a fix for this issue, as using the `admin/home#/person/` endpoint can lead to admin privilege escalation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BigTree CMS version 4.2.16 **Description** A CSRF issue exists, allowing the Navigation Social to be changed by manipulating the `value[#][*]` parameter in the "admin/settings/update/" page. **Recommendations** For BigTree CMS version 4.2.16, as a temporary workaround, consider restricting access to the "admin/settings/update/" page until a patch is available. Avoid using the `value[#][*]` parameter in this page to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** BigTree CMS version 4.2.16 **Description** The issue concerns a CSRF problem. It affects the "admin/settings/update/" page, specifically with the `value` parameter. This allows an attacker to change the Colophon. **Recommendations** For BigTree CMS version 4.2.16, consider restricting access to the "admin/settings/update/" page as a temporary workaround until a patch is available. Avoid using the `value` parameter in this page until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** BigTree CMS version 4.1.18 **Description** The issue concerns a CSRF problem. It affects the "admin/settings/update/" page, specifically with the `nav-social` parameter. This allows an attacker to change the Navigation Social settings. **Recommendations** For BigTree CMS version 4.1.18, consider restricting access to the "admin/settings/update/" page and the `nav-social` parameter to minimize the risk of exploitation. As a temporary workaround, avoid using the `nav-social` parameter in the affected page until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** BigTree CMS version 4.1.18 **Description** The issue concerns a CSRF problem. It affects the "admin/settings/update/" page, specifically with the `colophon` parameter. This allows the Colophon to be changed. **Recommendations** For BigTree CMS version 4.1.18, consider restricting access to the "admin/settings/update/" page to minimize the risk of exploitation. As a temporary workaround, avoid using the `colophon` parameter in the affected page until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** BigTree CMS versions 4.1.18 through 4.2.16 **Description** The issue concerns a CSRF problem. It affects the "admin/ajax/users/delete/" page, specifically with the `id` parameter. This allows an unauthorized user deletion. **Recommendations** For BigTree CMS versions 4.1.18 through 4.2.16, avoid using the `id` parameter in the "admin/ajax/users/delete/" page until the issue is resolved. As a temporary workaround, consider restricting access to the "admin/ajax/users/delete/" page to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apple iTunes versions prior to 12.4 **Description** The issue is related to an untrusted search path vulnerability in the installer. This vulnerability can be exploited by a local user to gain privileges via a Trojan horse DLL in the current working directory. **Recommendations** For Apple iTunes versions prior to 12.4, update to version 12.4 or later to resolve the issue. As a temporary workaround, consider restricting the execution of DLLs from untrusted sources in the current working directory until a patch is applied. Avoid using the installer in potentially compromised environments to minimize the risk of exploitation.