Ahmed Shah

**Name of the Vulnerable Software and Affected Versions** JD Edwards EnterpriseOne Tools versions prior to 9.2.9.0 **Description** The issue is related to a component of JD Edwards EnterpriseOne Tools, specifically the Web Runtime SEC. It can be easily exploited, allowing an unauthenticated attacker with network access via HTTP to compromise the system. Successful attacks can result in unauthorized access to critical data or complete access to all accessible data. The vulnerability can be exploited using a specially crafted HTTP request. **Recommendations** For versions prior to 9.2.9.0, update to version 9.2.9.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the Web Runtime SEC component to minimize the risk of exploitation. Additionally, limit network access via HTTP to only necessary sources to reduce the attack surface.

**Name of the Vulnerable Software and Affected Versions** JD Edwards EnterpriseOne Tools versions prior to 9.2.9.0 **Description** The issue allows an unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools, resulting in unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Tools accessible data. The vulnerability can be easily exploited and is related to the disclosure of information due to inconsistency. **Recommendations** For versions prior to 9.2.9.0, update to version 9.2.9.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the Web Runtime SEC component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** JD Edwards EnterpriseOne Tools versions prior to 9.2.9.0 **Description** The issue is related to a lack of authorization in the Design Tools SEC component. It can be easily exploited, allowing an unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products. The attacks can result in unauthorized update, insert, or delete access to some of JD Edwards EnterpriseOne Tools' accessible data, as well as unauthorized read access to a subset of JD Edwards EnterpriseOne Tools' accessible data. **Recommendations** For versions prior to 9.2.9.0, update to version 9.2.9.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the Design Tools SEC component via HTTP to minimize the risk of exploitation. Additionally, restrict access to sensitive data and implement strict authorization controls to prevent unauthorized access.

**Name of the Vulnerable Software and Affected Versions** JD Edwards EnterpriseOne Tools versions prior to 9.2.9.0 **Description** The issue is related to a lack of authentication for a critical function in the Web Runtime SEC component of JD Edwards EnterpriseOne Tools. This can be exploited by a remote attacker using a specially crafted HTTP request, potentially impacting the confidentiality, integrity, and availability of protected information. Successful attacks can result in the takeover of JD Edwards EnterpriseOne Tools. **Recommendations** For versions prior to 9.2.9.0, update to version 9.2.9.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the Web Runtime SEC component to minimize the risk of exploitation. Additionally, limit network access via HTTP to reduce the attack surface.

**Name of the Vulnerable Software and Affected Versions** JD Edwards EnterpriseOne Tools versions prior to 9.2.9.0 **Description** The issue is related to a vulnerability in the Web Runtime SEC component of JD Edwards EnterpriseOne Tools, which can be easily exploited. This vulnerability allows an attacker with low privileges and network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks require human interaction from a person other than the attacker. The vulnerability can result in unauthorized update, insert, or delete access to some of JD Edwards EnterpriseOne Tools' accessible data, as well as unauthorized read access to a subset of JD Edwards EnterpriseOne Tools' accessible data. The vulnerability is also related to cross-site request forgery. **Recommendations** For versions prior to 9.2.9.0, update to version 9.2.9.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the Web Runtime SEC component until a patch is available. Additionally, restrict access to sensitive data and implement measures to prevent cross-site request forgery attacks.

**Name of the Vulnerable Software and Affected Versions** JD Edwards EnterpriseOne Tools versions prior to 9.2.9.0 **Description** The issue is related to the use of open redirection in the Web Runtime SEC component of JD Edwards EnterpriseOne Tools. This allows an unauthenticated attacker with network access via HTTP to compromise the system. Successful attacks require human interaction and can result in unauthorized update, insert, or delete access to some accessible data, as well as unauthorized read access to a subset of accessible data. **Recommendations** For versions prior to 9.2.9.0, update to version 9.2.9.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the Web Runtime SEC component until a patch is available. Avoid using HTTP for network access until the issue is resolved. Restrict human interaction with the system to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** JD Edwards EnterpriseOne Tools versions prior to 9.2.9.0 **Description** The issue allows a low-privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks can result in the unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of JD Edwards EnterpriseOne Tools. **Recommendations** For versions prior to 9.2.9.0, update to version 9.2.9.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the Web Runtime SEC component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** JD Edwards EnterpriseOne Tools versions prior to 9.2.9.0 **Description** The issue is related to insufficient input validation in the Web Runtime SEC component. This easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools, resulting in unauthorized read access to a subset of accessible data. **Recommendations** For versions prior to 9.2.9.0, update to version 9.2.9.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the Web Runtime SEC component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** JD Edwards EnterpriseOne Tools versions prior to 9.2.9.0 **Description** The issue is related to the Web Runtime SEC component and can be easily exploited, allowing an unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks require human interaction from a person other than the attacker. The vulnerability can result in unauthorized update, insert, or delete access to some of JD Edwards EnterpriseOne Tools' accessible data, as well as unauthorized read access to a subset of JD Edwards EnterpriseOne Tools' accessible data. The attacks may significantly impact additional products. **Recommendations** For versions prior to 9.2.9.0, update to version 9.2.9.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the Web Runtime SEC component to minimize the risk of exploitation. Avoid using the component until the issue is resolved. At the moment, there is no other information about additional mitigation measures.

**Name of the Vulnerable Software and Affected Versions** JD Edwards EnterpriseOne Tools versions prior to 9.2.9.0 **Description** This issue allows an attacker with low privileges and network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks can result in the unauthorized ability to cause a hang or frequently repeatable crash of JD Edwards EnterpriseOne Tools. The vulnerability is related to the Web Runtime SEC component and can be exploited to cause a denial of service. **Recommendations** For versions prior to 9.2.9.0, update to version 9.2.9.0 or later to resolve the issue. At the moment, there is no information about additional mitigation measures for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PeopleSoft Enterprise PeopleTools versions 8.58 and 8.59 **Description** The issue is related to insufficient input validation in the Updates Environment Mgmt component. It allows an unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools, potentially resulting in a takeover. The vulnerability can be exploited to impact the confidentiality, integrity, and availability of protected information. **Recommendations** For versions 8.58 and 8.59, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PeopleSoft Enterprise FIN Cash Management version 9.2 **Description** The issue is related to insufficient input validation in the Financial Gateway component. It allows a low-privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise FIN Cash Management. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products. Attacks can result in unauthorized update, insert, or delete access to some accessible data, as well as unauthorized read access to a subset of accessible data. **Recommendations** For version 9.2, consider restricting access to the Financial Gateway component to minimize the risk of exploitation until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** vim versions prior to 8.2.4646 **Description** The issue is related to a use after free in the `utf ptr2char` function. This can be exploited by a remote attacker using a specially crafted file, potentially allowing the execution of arbitrary code. **Recommendations** For versions prior to 8.2.4646, update to version 8.2.4646 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `utf ptr2char` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** PyYAML versions prior to 5.4 **Description** A flaw in the PyYAML library allows for arbitrary code execution when processing untrusted YAML files through the `full load` method or with the `FullLoader` loader. This issue enables an attacker to execute arbitrary code on the system by exploiting the `python/object/new` constructor. The vulnerability is due to incomplete input validation when handling untrusted input, which can be exploited by a remote attacker using a specially crafted file. **Recommendations** For versions prior to 5.4, consider avoiding the use of the `full load` method or the `FullLoader` loader when processing untrusted YAML files until a patch is available. As a temporary workaround, restrict the processing of untrusted input to minimize the risk of exploitation.