Zemnmez

**Name of the Vulnerable Software and Affected Versions** crypto-js versions prior to 4.2.0 **Description** The crypto-js library has a weakened PBKDF2 configuration, which is 1,000 times weaker than originally specified in 1993 and at least 1,300,000 times weaker than the current industry standard. This is due to the default use of the insecure SHA1 hashing algorithm and a single iteration. The impact is high if used to protect passwords or generate signatures. The library has 10,642 public users, and the number of transient dependents is likely several orders of magnitude higher. A rough GitHub search shows 432 files using PBKDF2 in crypto-js without specifying any number of iterations. **Recommendations** For versions prior to 4.2.0, configure crypto-js to use SHA256 with at least 250,000 iterations as a workaround. Update to version 4.2.0, which contains a patch for this issue.

**Name of the Vulnerable Software and Affected Versions** CryptoES versions prior to 2.1.0 **Description** The CryptoES PBKDF2 is weaker than originally specified and current industry standards due to defaulting to SHA1 and a single iteration. This weakness can lead to high-impact issues if used for password protection or signature generation. The estimated number of potentially affected devices is high, with at least 10,642 public users and a likely higher number of transient dependents. **Recommendations** For versions prior to 2.1.0, configure CryptoES to use SHA256 with at least 250,000 iterations as a workaround. For versions prior to 2.1.0, update to version 2.1.0 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Visual Studio Code (affected versions not specified) **Description** The issue is related to insufficient input validation in Visual Studio Code, which can be exploited by a remote attacker to execute arbitrary code. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Edge and Internet Explorer (affected versions not specified) **Description** The issue exists due to insufficient input validation in Microsoft browsers. An attacker could exploit this to impact the confidentiality of protected information by using a specially crafted web page. The vulnerability allows an attacker to pass custom command line parameters under specific conditions. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** JanRain PHP OpenID library (aka php-openid) (affected versions not specified) **Description** The issue is related to improper checking of the `openid.realm` parameter against the `SERVER NAME` element in the `SERVER` superglobal array. This might allow remote attackers to hijack the authentication of arbitrary users via crafted HTTP Host headers. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.