Armin Stock

In Content Management versions 20.4- 25.3 authenticated attackers may exploit a complex cache poisoning technique to download unprotected files from the server if the filenames are known.

**Name of the Vulnerable Software and Affected Versions** ILIAS versions 7.21 through 8.2 **Description** The issue concerns stored Cross Site Scripting (XSS), which is a type of security vulnerability that allows an attacker to inject malicious scripts into a website, potentially leading to unauthorized access or control. No information is provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** For ILIAS versions 7.21 through 8.2, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ILIAS versions 7.21 through 8.2 **Description** The issue is related to reflected Cross-Site Scripting (XSS), which allows an attacker to inject malicious scripts into a website. This can lead to unauthorized access to user data or session hijacking. **Recommendations** For ILIAS versions 7.21 through 8.2, update to a version that includes a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenText Content Suite Platform version 16.2.19.1803 **Description** An issue was discovered that allows a low-privilege user to delete arbitrary files on the server's local filesystem through the "itemtemplate.createtemplate2" endpoint. **Recommendations** For OpenText Content Suite Platform version 16.2.19.1803, consider restricting access to the "itemtemplate.createtemplate2" endpoint to prevent low-privilege users from deleting arbitrary files on the server's local filesystem.

**Name of the Vulnerable Software and Affected Versions** OpenText Content Suite Platform version 16.2.19.1803 **Description** An issue was discovered that allows a low-privilege user to evaluate web reports through the "notify.localizeEmailTemplate" endpoint. **Recommendations** For OpenText Content Suite Platform version 16.2.19.1803, consider restricting access to the "notify.localizeEmailTemplate" endpoint to prevent low-privilege users from evaluating web reports until a patch is available.

**Name of the Vulnerable Software and Affected Versions** OpenText Content Suite Platform version 22.1 (16.2.19.1803) **Description** An issue in the Java application server allows bypassing authentication of QDS endpoints in the Content Server. These endpoints can be exploited to create objects and execute arbitrary code. **Recommendations** For OpenText Content Suite Platform version 22.1 (16.2.19.1803), consider restricting access to the QDS endpoints of the Content Server until a patch is available. As a temporary workaround, disabling the Java application server or limiting its functionality may help minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenText Content Suite Platform version 16.2.19.1803 **Description** A remote OScript execution issue was discovered, allowing an attacker to execute OScript code by passing the `htmlFile` parameter through multiple endpoints. The Content Server evaluates and executes OScript code in HTML files, enabling the attacker to manipulate files on the filesystem, create new network connections, or execute OS commands. **Recommendations** For OpenText Content Suite Platform version 16.2.19.1803, consider restricting access to the `htmlFile` parameter in the affected API endpoints until a patch is available. As a temporary workaround, disabling the execution of OScript code in HTML files could minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenText Content Suite Platform version 16.2.19.1803 **Description** An issue was discovered where the action `xmlexport` accepts the parameter `requestContext`. If this parameter is present, the response includes most of the HTTP headers sent to the server and some of the CGI variables like `remote adde` and `server name`, which is an information disclosure. **Recommendations** For OpenText Content Suite Platform version 16.2.19.1803, consider restricting access to the `xmlexport` action or removing the `requestContext` parameter to minimize the risk of information disclosure. As a temporary workaround, avoid using the `requestContext` parameter in the affected action until a patch is available.

**Name of the Vulnerable Software and Affected Versions** OpenText Content Suite Platform version 16.2.19.1803 **Description** An issue was discovered where the request handler for ll.KeepAliveSession sets a valid AdminPwd cookie even when the Web Admin password was not entered. This allows access to endpoints that require a valid AdminPwd cookie without knowing the password. **Recommendations** For OpenText Content Suite Platform version 16.2.19.1803, consider disabling the ll.KeepAliveSession request handler as a temporary workaround until a patch is available. Restrict access to endpoints that require a valid AdminPwd cookie to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenText Content Suite Platform version 16.2.19.1803 **Description** An issue was discovered in the Common Gateway Interface (CGI) program cs.exe, allowing an attacker to increase or decrease an arbitrary memory address by 1 and trigger a call to a method of a vftable with a vftable pointer value chosen by the attacker. **Recommendations** For OpenText Content Suite Platform version 16.2.19.1803, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Nome do software vulnerável e versões afetadas** Versões do OrbiTeam BSCW Classic anteriores à 5.0.12 Versões do OrbiTeam BSCW Classic anteriores à 5.1.10 Versões do OrbiTeam BSCW Classic anteriores à 5.2.4 Versões do OrbiTeam BSCW Classic anteriores à 7.3.3 Versões do OrbiTeam BSCW Classic anteriores à 7.4.3 **Descrição** A vulnerabilidade permite a execução remota de código (RCE) autenticada durante a extração de arquivos compactados por meio de código Python fornecido pelo invasor no atributo `class` de um arquivo `.bscw`. **Recomendações** Para versões anteriores à 5.0.12, atualize para a versão 5.0.12 ou posterior. Para versões anteriores à 5.1.10, atualize para a versão 5.1.10 ou posterior. Para versões anteriores à 5.2.4, atualize para a versão 5.2.4 ou posterior. Para versões anteriores à 7.3.3, atualize para a versão 7.3.3 ou posterior. Para versões anteriores à 7.4.3, atualize para a versão 7.4.3 ou posterior.

**Nome do software vulnerável e versões afetadas** Versões do OrbiTeam BSCW Classic anteriores à 5.0.12 Versões do OrbiTeam BSCW Classic anteriores à 5.1.10 Versões do OrbiTeam BSCW Classic anteriores à 5.2.4 Versões do OrbiTeam BSCW Classic anteriores à 7.3.3 Versões do OrbiTeam BSCW Classic anteriores à 7.4.3 **Descrição** A vulnerabilidade permite a execução remota de código (RCE) autenticada por meio de injeção de tags XML. Isso ocorre porque o módulo `reportlabplatypusparaparser.py`, acessado via `bscw.cgi` com o parâmetro `op= editfolder.EditFolder`, chama `eval` no código Python fornecido pelo invasor. **Recomendações** Para versões anteriores à 5.0.12, atualize para a versão 5.0.12 ou posterior. Para versões anteriores à 5.1.10, atualize para a versão 5.1.10 ou posterior. Para versões anteriores à 5.2.4, atualize para a versão 5.2.4 ou posterior. Para versões anteriores à 7.3.3, atualize para a versão 7.3.3 ou posterior. Para versões anteriores à 7.4.3, atualize para a versão 7.4.3 ou posterior. Como solução alternativa temporária, considere restringir o acesso ao endpoint `bscw.cgi` com o parâmetro `op= editfolder.EditFolder` até que um patch seja aplicado.

**Nome do software vulnerável e versões afetadas: genua genugate versões 9.0 Z anteriores à p19 genua genugate versões 9.1.x a 9.6.x anteriores à 9.6 p7 genua genugate versões 10.x anteriores à 10.1 p4 Descrição: Foi descoberta uma vulnerabilidade nas interfaces web do genua genugate, na qual um método específico de autenticação durante o login não verifica os dados fornecidos e retorna “OK” para qualquer solicitação de autenticação, permitindo que um invasor faça login no painel de administração como um usuário de sua escolha, incluindo o usuário root ou até mesmo um usuário inexistente. Isso é possível devido à falta de validação adequada dos dados fornecidos quando ocorre uma determinada manipulação. Recomendações: Para as versões 9.0 Z do genua genugate anteriores à p19, atualize para a versão 9.0 Z p19 ou posterior. Para as versões 9.1.x a 9.6.x do genua genugate anteriores à 9.6 p7, atualize para a versão 9.6 p7 ou posterior. Para as versões 10.x do genua genugate anteriores à 10.1 p4, atualize para a versão 10.1 p4 ou posterior. Como solução temporária, considere restringir o acesso às interfaces web (Admin, Userweb, Sidechannel) até que um patch esteja disponível.