Fernando Russ

**Name of the Vulnerable Software and Affected Versions** SAP SAPCRYPTOLIB version 5.555.38 **Description** The issue concerns the DSA algorithm implementation, which does not properly check signatures. This allows remote authenticated users to impersonate arbitrary users via unspecified vectors. **Recommendations** For SAP SAPCRYPTOLIB version 5.555.38, update to a version that properly checks signatures to prevent impersonation.

**Name of the Vulnerable Software and Affected Versions** SAP HANA DB version 1.00.091.00.1418659308 **Description** The issue allows remote attackers to obtain sensitive topology information via an unspecified HTTP request. **Recommendations** For SAP HANA DB version 1.00.091.00.1418659308, update to a version that addresses this issue, as specified in SAP Security Note 2176128.

**Name of the Vulnerable Software and Affected Versions** Oracle JD Edwards Products versions 9.1 through 9.2 **Description** The issue affects the availability of the system, related to Monitoring and Diagnostics. Details about the vectors used for exploitation are not specified. **Recommendations** For Oracle JD Edwards Products versions 9.1 through 9.2, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle JD Edwards Products versions 9.1 through 9.2 **Description** The issue affects the availability of the system, related to Monitoring and Diagnostics SEC in the JD Edwards EnterpriseOne Tools component. **Recommendations** For Oracle JD Edwards Products versions 9.1 through 9.2, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle JD Edwards Products versions 9.1 through 9.2 **Description** The issue affects the availability of the system. It is related to the Enterprise Infrastructure SEC in the JD Edwards EnterpriseOne Tools component. **Recommendations** For versions 9.1 and 9.2, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle JD Edwards Products versions 9.1 through 9.2 **Description** The issue affects confidentiality, integrity, and availability. It is related to the Enterprise Infrastructure SEC in the JD Edwards EnterpriseOne Tools component. **Recommendations** For versions 9.1 through 9.2, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Oracle JD Edwards Products versions 9.1 through 9.2 **Description** The issue affects the availability of the system, related to Enterprise Infrastructure SEC. **Recommendations** For Oracle JD Edwards Products versions 9.1 through 9.2, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle JD Edwards Products versions 9.1 through 9.2 **Description** The issue affects confidentiality, integrity, and availability. It is related to Monitoring and Diagnostics in the JD Edwards EnterpriseOne Tools component. The exact nature of the vulnerability and the vectors involved are not specified. **Recommendations** For versions 9.1 through 9.2, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SAP HANA DB version 1.00.73.00.389160 **Description** The issue concerns multiple SQL injection vulnerabilities in the Web-based Development Workbench of SAP HANA DB. These vulnerabilities allow remote authenticated users to execute arbitrary SQL commands. The vulnerabilities are related to unspecified vectors in the trace configuration page and the getSqlTraceConfiguration function. **Recommendations** For SAP HANA DB version 1.00.73.00.389160, consider restricting access to the trace configuration page and the getSqlTraceConfiguration function until a patch is available. As a temporary workaround, avoid using the getSqlTraceConfiguration function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SAP HANA DB version 1.00.73.00.389160 **Description** The issue allows remote authenticated users to spoof log entries via a crafted request. **Recommendations** For SAP HANA DB version 1.00.73.00.389160, update to a version that addresses this issue, as specified in SAP Security Note 2109818.

**Name of the Vulnerable Software and Affected Versions** SAP HANA DB version 1.00.73.00.389160 **Description** The issue allows remote authenticated users to read arbitrary files via an IMPORT FROM SQL statement. **Recommendations** For SAP HANA DB version 1.00.73.00.389160, consider restricting access to the IMPORT FROM SQL statement until a patch is available.

Name of the Vulnerable Software and Affected Versions: Mirabilis ICQ Pro version 2003a Description: The issue allows remote attackers to cause a denial of service by consuming CPU resources. This is achieved by spoofing the address of an ADS server and sending HTML with a -1 width in a table tag. Recommendations: For Mirabilis ICQ Pro version 2003a, consider disabling the rendering of HTML tables with invalid width parameters as a temporary workaround until a patch is available. Restrict access to the Message Session window to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Mirabilis ICQ Pro 2003a Description: A format string issue in the POP3 client allows remote malicious servers to execute arbitrary code via format strings in the response to a UIDL command. Recommendations: For Mirabilis ICQ Pro 2003a, at the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: Mirabilis ICQ Pro version 2003a Description: The issue concerns a denial of service that can be triggered by remote attackers. This is achieved through the `icqateimg32.dll` parsing/rendering library when it encounters malformed GIF89a headers. Specifically, the library is vulnerable when the headers do not contain a Global Color Table (GCT) or a Local Color Table (LCT) after an Image Descriptor. Recommendations: For Mirabilis ICQ Pro version 2003a, consider disabling the `icqateimg32.dll` library as a temporary workaround to prevent the denial of service until a patch is available. Restrict access to GIF89a files to minimize the risk of exploitation. Avoid using the vulnerable library for parsing or rendering images until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Mirabilis ICQ Pro version 2003a Description: The issue is related to integer signedness errors in the POP3 client, which can be exploited by remote attackers to execute arbitrary code. This can be achieved via the Subject or Date headers. Recommendations: For Mirabilis ICQ Pro version 2003a, consider disabling the POP3 client functionality until a patch is available to prevent potential exploitation. Restrict access to the POP3 client to minimize the risk of arbitrary code execution.

Name of the Vulnerable Software and Affected Versions: Mirabilis ICQ Pro 2003a Description: The issue concerns the "ICQ Features on Demand" functionality, which fails to properly verify the authenticity of software upgrades. This allows remote attackers to install arbitrary software via a spoofing attack. Recommendations: For Mirabilis ICQ Pro 2003a, consider disabling the "ICQ Features on Demand" functionality until a proper fix is available to prevent potential exploitation.