Deniz Cevik

**Nome do software vulnerável e versões afetadas** Versões do Polarion ALM anteriores à V2404.0 **Descrição** O problema está relacionado a uma falha no procedimento de autenticação do aplicativo Polarion ALM, que poderia permitir que um invasor remoto contornasse a autenticação e obtivesse acesso total ao dispositivo. Especificamente, os pontos de extremidade da API REST do doorsconnector carecem de autenticação adequada, permitindo potencialmente que um invasor não autenticado acesse os pontos de extremidade e execute código. **Recomendações** Para versões anteriores à V2404.0, atualize para a versão V2404.0 ou posterior para resolver o problema. Como solução alternativa temporária, considere restringir o acesso aos pontos de extremidade da API REST do doorsconnector para minimizar o risco de exploração.

**Name of the Vulnerable Software and Affected Versions** Cisco WebEx Meetings Server (affected versions not specified) **Description** The issue is related to insufficient validation of user-supplied input, which could allow a remote attacker to conduct a cross-site scripting (XSS) attack. This can be achieved by persuading a user to click a specially crafted link, potentially allowing the attacker to execute arbitrary script code or access sensitive browser-based information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** phpMyAdmin versions 4.0.x through 4.0.10.15 phpMyAdmin versions 4.4.x through 4.4.15.6 phpMyAdmin versions 4.6.x through 4.6.2 **Description** The issue allows remote attackers to cause a denial of service via a large array in the `scripts` parameter in the js/get scripts.js.php file. **Recommendations** For phpMyAdmin versions 4.0.x through 4.0.10.15, update to version 4.0.10.16 or later. For phpMyAdmin versions 4.4.x through 4.4.15.6, update to version 4.4.15.7 or later. For phpMyAdmin versions 4.6.x through 4.6.2, update to version 4.6.3 or later.

**Name of the Vulnerable Software and Affected Versions** ZyXEL ZyWALL USG 300 (affected versions not specified) ZyXEL ZyWALL 100 (affected versions not specified) **Description** The issue allows a remote attacker to inject arbitrary web script or HTML via the `Referer` header, which is not properly handled on the 404 Error page. This can lead to a disruption in the integrity of the data processed by the web server. The exploitation of this issue can be done through cross-site scripting. **Recommendations** For ZyXEL ZyWALL USG 300, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For ZyXEL ZyWALL 100, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Application Server (OracleAS) Portal 10g **Description** The issue allows remote attackers to bypass intended access restrictions and read the contents of /dav portal/portal/ by sending a request containing a trailing "%0A" (encoded line feed), then using the session ID that is generated from that request. **Recommendations** For Oracle Application Server (OracleAS) Portal 10g, as a temporary workaround, consider restricting access to the /dav portal/portal/ endpoint until a patch is available. Avoid using the session ID generated from requests containing a trailing "%0A" to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.