Abdelrhman Yousri

**Name of the Vulnerable Software and Affected Versions** IBM Maximo Asset Management versions 7.6.1.1 through 7.6.1.3 IBM Maximo Application Suite versions 8.8 through 8.9 **Description** This issue allows users to embed arbitrary JavaScript code in the Web UI, altering the intended functionality and potentially leading to credentials disclosure within a trusted session. The vulnerability is related to stored cross-site scripting. **Recommendations** For IBM Maximo Asset Management versions 7.6.1.1 through 7.6.1.3, update to a version that includes the fix for this issue. For IBM Maximo Application Suite versions 8.8 through 8.9, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the Web UI to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Oracle Communications Operations Monitor versions 3.4 through 5.0 **Description** The issue is due to insufficient input validation in the Mediation Engine component. It allows a high-privileged attacker with network access via HTTP to compromise Oracle Communications Operations Monitor, potentially impacting additional products. Successful attacks can result in unauthorized access to data, including update, insert, or delete access, as well as unauthorized read access and the ability to cause a partial denial of service. **Recommendations** For versions 3.4 through 5.0, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Communications Operations Monitor versions 3.4, 4.2, 4.3, 4.4, 5.0 **Description** The issue exists due to insufficient input validation in the Mediation Engine component of Oracle Communications Operations Monitor. This allows a remote attacker to gain read access to data or modify data using specially crafted HTTP requests. Successful attacks may significantly impact additional products and can result in unauthorized update, insert, or delete access to some data, as well as unauthorized read access to a subset of data. **Recommendations** For versions 3.4, 4.2, 4.3, 4.4, 5.0, consider restricting access to the Mediation Engine component until a patch is available. As a temporary workaround, avoid using specially crafted HTTP requests to the affected component. Restrict network access via HTTP to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Oracle Communications Operations Monitor versions 3.4 through 5.0 **Description** The issue is related to insufficient input validation in the Mediation Engine component of Oracle Communications Operations Monitor. It allows a high-privileged attacker with network access via HTTP to compromise the system. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products. The attacks can result in unauthorized update, insert, or delete access to some of the accessible data, as well as unauthorized read access to a subset of the accessible data. **Recommendations** For versions 3.4 through 5.0, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Unified Communications Manager (affected versions not specified) Cisco Unified Communications Manager Session Management Edition (affected versions not specified) Cisco Unified Communications Manager IM & Presence Service (affected versions not specified) **Description** A vulnerability in the web-based management interface could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected device. This is due to insufficient CSRF protections for the web-based management interface. An attacker could exploit this by persuading a user to click a malicious link, allowing the attacker to perform arbitrary actions with the targeted user's privilege level, including modifying device configuration and deleting user accounts. **Recommendations** For Cisco Unified Communications Manager, consider disabling access to the web-based management interface until a fix is available. For Cisco Unified Communications Manager Session Management Edition, restrict access to the interface to minimize the risk of exploitation. For Cisco Unified Communications Manager IM & Presence Service, avoid using the interface for critical operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Prime Access Registrar (affected versions not specified) **Description** A vulnerability in the web-based management interface of Cisco Prime Access Registrar could allow an authenticated, remote attacker to perform a stored cross-site scripting attack on an affected system. This issue exists because the web-based management interface does not sufficiently validate user-supplied input. An attacker could exploit this by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. The attacker would need valid administrative credentials to exploit this vulnerability. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.