Ahmed Elhady Mohamed

**Name of the Vulnerable Software and Affected Versions** Hyperion Analytic Provider Services version 11.1.2.4 **Description** The issue is related to insufficient input validation in the Smart View Provider component of Hyperion Analytic Provider Services. This can allow a remote attacker to gain unauthorized access to protected information, modify, add, or delete data, or cause a denial of service using the HTTP protocol. The vulnerability is difficult to exploit and requires human interaction from someone other than the attacker, as well as access to the physical communication segment attached to the hardware where the service executes. Successful attacks can result in unauthorized access to some data, including read, update, insert, or delete access, as well as partial denial of service. **Recommendations** For version 11.1.2.4, consider restricting access to the Smart View Provider component until a fix is available. As a temporary workaround, limit the ability to modify, add, or delete data through this component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SDL Web version 8.5.0 **Description** The issue concerns an XXE vulnerability in the SaveUserSettings service of Content Manager, allowing unauthorized access to sensitive system files. **Recommendations** For SDL Web version 8.5.0, update to a version that includes a fix for this issue, as using an XXE vulnerability can lead to sensitive data exposure. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Family Connections CMS (FCMS) versions 2.9 and earlier **Description** The issue allows remote attackers to hijack the authentication of arbitrary users for requests. This can be done by exploiting cross-site request forgery (CSRF) vulnerabilities in two areas: adding news via the "add" action to "familynews.php" and adding a prayer via the "add" action to "prayers.php". **Recommendations** For Family Connections CMS (FCMS) versions 2.9 and earlier, update to a version later than 2.9 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** DAlbum versions 1.44 build 174 and earlier **Description** The issue affects the photo/pass.php file, allowing remote attackers to exploit multiple cross-site request forgery (CSRF) vulnerabilities. These vulnerabilities enable attackers to hijack the authentication of administrators for specific requests, including adding a user via an `add` action, changing user passwords via a `change` action, or deleting a user via a `delete` action. **Recommendations** For DAlbum versions 1.44 build 174 and earlier, as a temporary workaround, consider disabling the `add`, `change`, and `delete` actions in the photo/pass.php file until a patch is available. Restrict access to the photo/pass.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SnackAmp version 3.1.3 **Description** The issue allows remote attackers to cause a denial of service, resulting in an application crash. This can be achieved by providing a long string in an aiff file. **Recommendations** For SnackAmp version 3.1.3, consider avoiding the use of aiff files with long strings until a patch is available. As a temporary workaround, restrict access to aiff files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** MediaChance Real-DRAW PRO version 5.2.4 **Description** The issue allows remote attackers to cause a denial of service, resulting in an application crash, by sending a crafted file. The types of files that can cause this issue include PNG, WMF, PSD, TGA, TTF, BMP, TIFF, and PCX files. **Recommendations** For MediaChance Real-DRAW PRO version 5.2.4, consider avoiding the use of the affected file types until a patch is available. As a temporary workaround, restrict the opening of these file types to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.