Ken Cijsouw

**Name of the Vulnerable Software and Affected Versions** TOPdesk versions prior to 5.7.6 TOPdesk versions 6.x TOPdesk versions 7.x prior to 7.03.019 **Description** The issue is related to reflected XSS. **Recommendations** For versions prior to 5.7.6, update to version 5.7.6 or later. For versions 6.x, update to version 7.03.019 or later. For versions 7.x prior to 7.03.019, update to version 7.03.019 or later.

**Name of the Vulnerable Software and Affected Versions** Serena Dimensions CM version 12.2 build 7.199.0 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities in the web client. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via various parameters to the "dimensions/" URI, including `DB CONN`, `DB NAME`, `DM HOST`, `MAN DB NAME`, `framecmd`, `identifier`, `merant.adm.adapters.AdmDialogPropertyMgr`, `nav frame`, `nav jsp`, `target frame`, `id`, or `type`. **Recommendations** For Serena Dimensions CM version 12.2 build 7.199.0, consider restricting access to the dimensions/ URI until a patch is available. As a temporary workaround, avoid using the parameters `DB CONN`, `DB NAME`, `DM HOST`, `MAN DB NAME`, `framecmd`, `identifier`, `merant.adm.adapters.AdmDialogPropertyMgr`, `nav frame`, `nav jsp`, `target frame`, `id`, or `type` in the affected API endpoint. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Serena Dimensions CM version 12.2 build 7.199.0 **Description** A cross-site request forgery (CSRF) issue exists, allowing remote attackers to hijack the authentication of administrators for requests that use the `user new master` parameter to the "adminconsole/" API endpoint. **Recommendations** For Serena Dimensions CM version 12.2 build 7.199.0, consider disabling access to the "adminconsole/" API endpoint until a fix is available, or restrict the use of the `user new master` parameter to prevent exploitation.