Abdulrahman Nour

Name of the Vulnerable Software and Affected Versions: Oracle E-Business Suite versions 12.2.3 through 12.2.10 Description: The issue is related to insufficient input validation in the Preferences component of Oracle CRM Technical Foundation. It allows a high-privileged attacker with network access via HTTP to compromise the system. Successful attacks can result in unauthorized access to critical data, including creation, deletion, or modification of data. The estimated number of potentially affected devices is not provided. Recommendations: For versions 12.2.3 through 12.2.10, update to a version that includes the fix for this issue to prevent exploitation. As a temporary workaround, consider restricting access to the Preferences component until a patch is available. Additionally, restrict HTTP access to the Oracle CRM Technical Foundation to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software (affected versions not specified) **Description** A flaw exists in the web services interface of Cisco ASA and FTD Software due to insufficient validation of input. This allows an unauthenticated, remote attacker to perform directory traversal attacks and read sensitive files on a targeted system. The issue stems from improper input validation of URLs within HTTP requests. An attacker can exploit this by sending a crafted HTTP request containing directory traversal sequences. Successful exploitation allows viewing arbitrary files within the web services file system, which is enabled when WebVPN or AnyConnect features are configured. This issue cannot be used to access ASA or FTD system files or the underlying operating system files. Reports indicate widespread exploitation of this issue, with attackers targeting Cisco IOS decoys and honeypots. Several tools and scripts have been developed to scan for and exploit this vulnerability. The vulnerability has been actively exploited and is considered highly dangerous. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Suite versions 12.2.5 through 12.2.9 **Description** The issue is related to insufficient input validation in the Attachments / File Upload component of Oracle Applications Framework, allowing an unauthenticated attacker with network access via HTTP to compromise the framework. Successful attacks can result in unauthorized update, insert, or delete access to some of the framework's accessible data. **Recommendations** For versions 12.2.5 through 12.2.9, update to a version that includes the fix for this issue to prevent unauthorized access and data modification. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Configurator versions 12.1 and 12.2 **Description** The issue is related to insufficient access control in the Installation component of the Oracle Configurator application. It allows a remote attacker to gain unauthorized access to protected information via the HTTP protocol. Successful exploitation can result in unauthorized read access to a subset of Oracle Configurator accessible data. **Recommendations** For Oracle Configurator version 12.1, update to a version that includes the necessary security patches to address the insufficient access control issue. For Oracle Configurator version 12.2, apply the recommended security fixes to mitigate the risk of unauthorized access.

**Name of the Vulnerable Software and Affected Versions** MySQL Server versions 5.7.29 and prior MySQL Server versions 8.0.19 and prior **Description** The issue is related to the Optimizer component of the MySQL Server, which is affected by a lack of access control. This allows a high-privileged attacker with network access via multiple protocols to compromise the MySQL Server. Successful attacks can result in the ability to cause a hang or frequently repeatable crash (complete DOS) of the MySQL Server. The vulnerability can be exploited remotely using the MySQL Protocol. **Recommendations** For MySQL Server versions 5.7.29 and prior, update to a version later than 5.7.29 to resolve the issue. For MySQL Server versions 8.0.19 and prior, update to a version later than 8.0.19 to resolve the issue. As a temporary workaround, consider restricting network access to the MySQL Server to minimize the risk of exploitation.