Alejandro Rodriguez

**Name of the Vulnerable Software and Affected Versions** IBM WebSphere Application Server versions 7.0.0.13 and earlier **Description** The issue concerns multiple cross-site request forgery (CSRF) vulnerabilities in the Integrated Solutions Console of IBM WebSphere Application Server. These vulnerabilities allow remote attackers to hijack the authentication of administrators for requests, specifically those that disable certain security options. This can be achieved via an Edit action to "console/adminSecurityDetail.do" followed by a save action to "console/syncworkspace.do". **Recommendations** For IBM WebSphere Application Server versions 7.0.0.13 and earlier, consider disabling access to the "console/adminSecurityDetail.do" and "console/syncworkspace.do" endpoints until a fix is available. Restrict the use of the administrative console to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** NextGEN Gallery plugin versions prior to 1.5.2 **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the `mode` parameter in the xml/media-rss.php file. **Recommendations** For versions prior to 1.5.2, update to version 1.5.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the xml/media-rss.php file to minimize the risk of exploitation. Avoid using the `mode` parameter in the affected API endpoint until the issue is resolved.