Jerold Hoong

**Name of the Vulnerable Software and Affected Versions** CA Service Desk Manager versions 12.9 through 14.1 **Description** A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML via the `QBE.EQ.REF NUM` parameter. This can lead to the execution of malicious scripts on the client-side. **Recommendations** For CA Service Desk Manager version 12.9, update to a version that fixes this issue. For CA Service Desk Manager version 14.1, update to a version that fixes this issue. As a temporary workaround, consider restricting access to the `QBE.EQ.REF NUM` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** eClinicalWorks Population Health (CCMR) (affected versions not specified) **Description** The issue concerns a cross-site scripting vulnerability. It affects the login.jsp file, allowing remote unauthenticated users to inject arbitrary JavaScript via the `strMessage` parameter in the "/login.jsp" API endpoint. **Recommendations** As a temporary workaround, consider restricting access to the `login.jsp` file until a patch is available. Avoid using the `strMessage` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** eClinicalWorks Population Health (CCMR) (affected versions not specified) **Description** The issue is related to an SQL injection vulnerability in the portalUserService.jsp file. This vulnerability allows remote authenticated users to inject arbitrary malicious database commands as part of user input. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** eClinicalWorks Population Health (CCMR) (affected versions not specified) **Description** The issue is related to a cross-site request forgery (CSRF) vulnerability. This vulnerability is located in the portalUserService.jsp file and can be exploited by remote attackers to hijack the authentication of content administrators. The exploitation could lead to unauthorized creation, modification, and deletion of users, appointments, and employees. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** eClinicalWorks Population Health (CCMR) (affected versions not specified) **Description** The issue concerns a session fixation problem. When a user is authenticated, the application fails to assign a new session ID. This allows for the use of an existing session ID. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ektron Content Management System (CMS) versions prior to 9.10 SP1 (Build 9.1.0.184.1.120) **Description** The issue is related to a cross-site request forgery (CSRF) vulnerability. This vulnerability allows remote attackers to hijack the authentication of content administrators for requests that delete content via a delete action. The vulnerability is located in Test/WorkArea/DmsMenu/menuActions/MenuActions.aspx. **Recommendations** For versions prior to 9.10 SP1 (Build 9.1.0.184.1.120), update to version 9.10 SP1 (Build 9.1.0.184.1.120) or later to resolve the issue. As a temporary workaround, consider restricting access to the MenuActions.aspx page to minimize the risk of exploitation.