Ahmed Elhady Mohamed

**Nome do software vulnerável e versões afetadas** Hyperion Analytic Provider Services versão 11.1.2.4 **Descrição** O problema está relacionado à validação insuficiente de entradas no componente Smart View Provider do Hyperion Analytic Provider Services. Isso pode permitir que um invasor remoto obtenha acesso não autorizado a informações protegidas, modifique, adicione ou exclua dados, ou provoque uma negação de serviço utilizando o protocolo HTTP. A vulnerabilidade é difícil de explorar e requer interação humana de alguém além do invasor, bem como acesso ao segmento de comunicação físico conectado ao hardware onde o serviço é executado. Ataques bem-sucedidos podem resultar em acesso não autorizado a alguns dados, incluindo acesso para leitura, atualização, inserção ou exclusão, bem como negação parcial de serviço. **Recomendações** Para a versão 11.1.2.4, considere restringir o acesso ao componente Smart View Provider até que uma correção esteja disponível. Como solução alternativa temporária, limite a capacidade de modificar, adicionar ou excluir dados por meio desse componente para minimizar o risco de exploração. No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.

**Name of the Vulnerable Software and Affected Versions** SDL Web version 8.5.0 **Description** The issue concerns an XXE vulnerability in the SaveUserSettings service of Content Manager, allowing unauthorized access to sensitive system files. **Recommendations** For SDL Web version 8.5.0, update to a version that includes a fix for this issue, as using an XXE vulnerability can lead to sensitive data exposure. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Family Connections CMS (FCMS) versions 2.9 and earlier **Description** The issue allows remote attackers to hijack the authentication of arbitrary users for requests. This can be done by exploiting cross-site request forgery (CSRF) vulnerabilities in two areas: adding news via the "add" action to "familynews.php" and adding a prayer via the "add" action to "prayers.php". **Recommendations** For Family Connections CMS (FCMS) versions 2.9 and earlier, update to a version later than 2.9 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** DAlbum versions 1.44 build 174 and earlier **Description** The issue affects the photo/pass.php file, allowing remote attackers to exploit multiple cross-site request forgery (CSRF) vulnerabilities. These vulnerabilities enable attackers to hijack the authentication of administrators for specific requests, including adding a user via an `add` action, changing user passwords via a `change` action, or deleting a user via a `delete` action. **Recommendations** For DAlbum versions 1.44 build 174 and earlier, as a temporary workaround, consider disabling the `add`, `change`, and `delete` actions in the photo/pass.php file until a patch is available. Restrict access to the photo/pass.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SnackAmp version 3.1.3 **Description** The issue allows remote attackers to cause a denial of service, resulting in an application crash. This can be achieved by providing a long string in an aiff file. **Recommendations** For SnackAmp version 3.1.3, consider avoiding the use of aiff files with long strings until a patch is available. As a temporary workaround, restrict access to aiff files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** MediaChance Real-DRAW PRO version 5.2.4 **Description** The issue allows remote attackers to cause a denial of service, resulting in an application crash, by sending a crafted file. The types of files that can cause this issue include PNG, WMF, PSD, TGA, TTF, BMP, TIFF, and PCX files. **Recommendations** For MediaChance Real-DRAW PRO version 5.2.4, consider avoiding the use of the affected file types until a patch is available. As a temporary workaround, restrict the opening of these file types to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.