Nahuel D. Sanchez

**Name of the Vulnerable Software and Affected Versions** OSNEXUS QuantaStor versions prior to 4.3.1 **Description** A flaw was found in the error message sent as a response for non-existent users on the system. This could allow an attacker to enumerate valid accounts by searching for common usernames. **Recommendations** For versions prior to 4.3.1, update to version 4.3.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the error message response to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OSNEXUS QuantaStor versions prior to 4.3.1 **Description** The issue allows an attacker to inject arbitrary HTML or JavaScript code as a parameter in a REST call, potentially leading to a cross-site scripting (XSS) attack. When an invalid REST call is invoked, the error response contains the previously invoked method, which is not sanitized. This lack of sanitization enables the inclusion of malicious code. **Recommendations** For OSNEXUS QuantaStor versions prior to 4.3.1, update to version 4.3.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the REST API to minimize the risk of exploitation. Avoid using parameters that could be used to inject malicious code in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** SAP SLD Registration Program (SLDREG) (affected versions not specified) **Description** The issue allows local users to cause a denial of service, resulting in memory corruption and process termination, via a crafted `HOST` parameter. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this issue.