Meder Kydyraliev

**Name of the Vulnerable Software and Affected Versions** Application Firewall in Apple OS X versions prior to 10.12 **Description** The issue allows local users to cause a denial of service via vectors involving a crafted `SO EXECPATH` environment variable. **Recommendations** For versions prior to 10.12, update to Apple OS X version 10.12 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** OS X versions prior to 10.10 **Description** The issue allows attackers to bypass intended sandbox restrictions. This is achieved by creating an application that specifies a crafted handler for the Content-Type field of an object. **Recommendations** For OS X versions prior to 10.10, update to version 10.10 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 8 Apple TV versions prior to 7 **Description** The issue concerns the kernel's use of a predictable random number generator during the early boot process. This predictability allows attackers to bypass certain kernel-hardening protection mechanisms. Attackers can use a user-space process to observe data related to the random numbers, potentially exploiting this weakness. **Recommendations** For Apple iOS versions prior to 8, update to version 8 or later to resolve the issue. For Apple TV versions prior to 7, update to version 7 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apple OS X versions prior to 10.9.2 **Description** The issue concerns the Apple Type Services (ATS) in Apple OS X, where it fails to properly validate calls to the free function. This allows attackers to bypass the App Sandbox protection mechanism by sending crafted Mach messages. **Recommendations** For versions prior to 10.9.2, update to version 10.9.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apple OS X versions prior to 10.9.2 **Description** The issue allows attackers to bypass the App Sandbox protection mechanism via crafted Mach messages that trigger memory corruption. **Recommendations** For Apple OS X versions prior to 10.9.2, update to version 10.9.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apple OS X versions prior to 10.9.2 **Description** A buffer overflow issue in Apple Type Services (ATS) allows attackers to bypass the App Sandbox protection mechanism. This is achieved by sending crafted Mach messages. **Recommendations** For Apple OS X versions prior to 10.9.2, update to version 10.9.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** JBoss Seam 2 versions 2.0 through 2.3 JBoss Enterprise Application Platform version 4.3.0 **Description** The issue is related to the improper sanitization of inputs for JBoss Expression Language (EL) expressions in JBoss Seam 2, which can be exploited by remote attackers to execute arbitrary code via a crafted URL. This is only considered a vulnerability when the Java Security Manager is not properly configured. **Recommendations** For JBoss Seam 2 versions 2.0 through 2.3, ensure the Java Security Manager is properly configured to mitigate the risk of exploitation. For JBoss Enterprise Application Platform version 4.3.0, consider implementing additional security measures to restrict access to vulnerable components until a proper configuration of the Java Security Manager can be achieved.

**Name of the Vulnerable Software and Affected Versions** Apache Struts versions 2.0.0 through 2.1.8.1 **Description** The OGNL extensive expression evaluation capability in XWork in Struts uses a permissive whitelist, allowing remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the `#context`, `# memberAccess`, `#root`, `#this`, `# typeResolver`, `# classResolver`, `# traceEvaluations`, `# lastEvaluation`, and `# keepLastEvaluation` OGNL context variables. This vulnerability enables a malicious user to bypass the '#'-usage protection built into the ParametersInterceptor, thus being able to manipulate server-side context objects. **Recommendations** For Apache Struts versions 2.0.0 through 2.1.8.1, consider disabling the OGNL expression evaluation capability or restricting access to the vulnerable ParametersInterceptor until a patch is available. Avoid using the `#context`, `# memberAccess`, `#root`, `#this`, `# typeResolver`, `# classResolver`, `# traceEvaluations`, `# lastEvaluation`, and `# keepLastEvaluation` variables in the affected API endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenSymphony XWork versions 2.0.x through 2.0.5 OpenSymphony XWork versions 2.1.x through 2.1.1 **Description** The issue allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements and modify server-side context objects. This is due to the ParametersInterceptor in OpenSymphony XWork not properly restricting # (pound sign) references to context objects. **Recommendations** For OpenSymphony XWork versions 2.0.x through 2.0.5, update to version 2.0.6 or later. For OpenSymphony XWork versions 2.1.x through 2.1.1, update to version 2.1.2 or later.

**Name of the Vulnerable Software and Affected Versions** Alkacon OpenCms versions prior to 6.2.2 **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This allows remote authenticated users to inject arbitrary web script or HTML via the message body. **Recommendations** For versions prior to 6.2.2, update to version 6.2.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Alkacon OpenCms versions prior to 6.2.2 **Description** The issue allows remote authenticated users to read the source code of arbitrary JSP files by specifying the file in the `resource` parameter. This can be demonstrated using the `index.jsp` file in the `system/workplace/editors/editor.jsp` endpoint. **Recommendations** For versions prior to 6.2.2, update to version 6.2.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the `system/workplace/editors/editor.jsp` endpoint to minimize the risk of exploitation. Avoid using the `resource` parameter in this endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Alkacon OpenCms versions prior to 6.2.2 **Description** The issue allows remote authenticated users to access administrator functions without proper restrictions. This enables them to perform various actions, including sending broadcast messages to all users through the "/workplace/broadcast" endpoint, listing all users via the "/accounts/users" endpoint, adding web users through the "/accounts/webusers/new" endpoint, uploading database import and export files via the "/database/importhttp" endpoint, uploading arbitrary program modules through the "/modules/modules import" endpoint, and reading the log file through the "/workplace/logfileview" endpoint. This is achieved by setting the appropriate value for the `path` parameter in a direct request to "admin-main.jsp". **Recommendations** For versions prior to 6.2.2, update to version 6.2.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the "admin-main.jsp" page and its associated endpoints to minimize the risk of exploitation. Avoid using the `path` parameter in direct requests to "admin-main.jsp" until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Alkacon OpenCms versions prior to 6.2.2 **Description** The issue allows remote authenticated users to download arbitrary files via an absolute pathname in the `filePath` parameter in the downloadTrigger.jsp file. **Recommendations** For versions prior to 6.2.2, update to version 6.2.2 or later to resolve the issue.