Jan Bee

**Name of the Vulnerable Software and Affected Versions** IBM FlashSystem versions (affected versions not specified) **Description** The issue allows an authenticated attacker with specialized access to overwrite arbitrary files, potentially causing a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IBM Storwize V7000 Unified management Web interface version 1.6 **Description** The management Web interface exposes internal cluster details to unauthenticated users, potentially allowing access to sensitive information. **Recommendations** For IBM Storwize V7000 Unified management Web interface version 1.6, consider restricting access to the Web interface until a fix is available.

**Name of the Vulnerable Software and Affected Versions** IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products versions 6.1 through 8.1.1 **Description** The issue allows an unauthenticated attacker to read arbitrary files on the system through the web handler /DLSnap. **Recommendations** For versions 6.1 through 8.1.1, as a temporary workaround, consider restricting access to the /DLSnap web handler until a patch is available.

**Name of the Vulnerable Software and Affected Versions** IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products versions 6.1 through 8.1.1 **Description** The issue allows an authenticated user to access system files they should not have access to, some of which could contain account credentials. **Recommendations** For versions 6.1 through 8.1.1, update to a version that contains a fix for this issue to prevent unauthorized access to system files.

**Name of the Vulnerable Software and Affected Versions** IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products versions 6.1 through 8.1.1 **Description** The issue allows an authenticated user to obtain the private key, which could make intercepting GUI communications possible. **Recommendations** For versions 6.1 through 8.1.1, update to a version that contains a fix for this issue to prevent an authenticated user from obtaining the private key.

**Name of the Vulnerable Software and Affected Versions** IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products versions 6.1 through 8.1.1 **Description** The issue allows an attacker to execute malicious and unauthorized actions by exploiting cross-site request forgery. This could be done by transmitting actions from a user that the website trusts. **Recommendations** For versions 6.1 through 8.1.1, update to a version that is not affected by this issue to prevent cross-site request forgery attacks.

**Name of the Vulnerable Software and Affected Versions** IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products versions 6.1 through 8.1.1 **Description** The issue is related to the use of weaker than expected cryptographic algorithms, which could allow an attacker to decrypt highly sensitive information. **Recommendations** For versions 6.1 through 8.1.1, update the cryptographic algorithms to stronger ones to prevent potential decryption of sensitive information by an attacker.

**Name of the Vulnerable Software and Affected Versions** Red Hat Network Client Tools versions on Red Hat Gluster Storage 2.1 and Enterprise Linux (RHEL) 5, 6, and 7 **Description** The issue is related to the `rhnreg ks` component in Red Hat Network Client Tools, which fails to properly validate hostnames in X.509 certificates from SSL servers. This allows remote attackers to launch a man-in-the-middle attack, preventing system registration. **Recommendations** For Red Hat Gluster Storage 2.1 and Enterprise Linux (RHEL) 5, 6, and 7, update the Red Hat Network Client Tools to a version that properly validates hostnames in X.509 certificates. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Schneider Electric Wonderware InTouch Access Anywhere versions prior to 11.5.2 **Description** The issue is related to inadequate encryption strength. Specifically, the software connects via Transport Layer Security without properly verifying the peer's SSL certificate. **Recommendations** For versions prior to 11.5.2, update to a version that properly verifies the peer's SSL certificate to ensure secure connections.

**Name of the Vulnerable Software and Affected Versions** Schneider Electric Wonderware InTouch Access Anywhere versions prior to 11.5.2 **Description** An Information Exposure issue allows credentials to be exposed to external systems via specific URL parameters. This is possible because arbitrary destination addresses may be specified, potentially leading to unauthorized access. **Recommendations** For versions prior to 11.5.2, update to a version newer than 11.5.2 to resolve the issue. As a temporary workaround, consider restricting access to sensitive URL parameters to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ESET Endpoint Antivirus for macOS versions prior to 6.4.168.0 ESET Endpoint Security for macOS versions prior to 6.4.168.0 **Description** The issue concerns the esets daemon service, which fails to properly verify X.509 certificates from the edf.eset.com SSL server. This allows man-in-the-middle attackers to spoof the server and provide crafted responses to license activation requests using a self-signed certificate. **Recommendations** For ESET Endpoint Antivirus for macOS versions prior to 6.4.168.0, update to version 6.4.168.0 or later. For ESET Endpoint Security for macOS versions prior to 6.4.168.0, update to version 6.4.168.0 or later.