Alessandro Bosco

**Name of the Vulnerable Software and Affected Versions** NOKIA NFM-T version R19.9 **Description** An issue exists in the Network Element Manager, specifically a Reflected XSS. This issue can be exploited via several API endpoints, including "/oms1350/pages/otn/cpbLogDisplay" via the `filename` parameter, under "/oms1350/pages/otn/connection/E2ERoutingDisplayWithOverLay" via the `id` parameter, and under "/oms1350/pages/otn/mainOtn" via all parameters. **Recommendations** For NOKIA NFM-T version R19.9, consider disabling access to the vulnerable API endpoints "/oms1350/pages/otn/cpbLogDisplay", "/oms1350/pages/otn/connection/E2ERoutingDisplayWithOverLay", and "/oms1350/pages/otn/mainOtn" until a patch is available. Additionally, restrict the use of the `filename` and `id` parameters in these endpoints to minimize the risk of exploitation. Avoid using all parameters in the "/oms1350/pages/otn/mainOtn" endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** NOKIA NFM-T version R19.9 **Description** A SQL Injection issue occurs in the /cgi-bin/R19.9/easy1350.pl endpoint of the VM Manager WebUI, specifically via the `id` or `host` HTTP GET parameters. This issue requires an authenticated attacker for exploitation. **Recommendations** For NOKIA NFM-T version R19.9, consider restricting access to the /cgi-bin/R19.9/easy1350.pl endpoint until a patch is available. As a temporary workaround, avoid using the `id` and `host` parameters in the affected API endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** NOKIA NFM-T version R19.9 **Description** An Unprotected Storage of Credentials issue occurs in the Network Element Manager under `/root/RestUploadManager.xml.DRC` and `/DEPOT/KECustom 199/OTNE DRC/RestUploadManager.xml`. A remote user, authenticated to the operating system with access privileges to the directory `/root` or `/DEPOT`, can read cleartext credentials to access the web portal NFM-T and control all the PPS Network elements. **Recommendations** For NOKIA NFM-T version R19.9, consider restricting access to the directories `/root` and `/DEPOT` to minimize the risk of exploitation. As a temporary workaround, limit the privileges of authenticated users to prevent them from reading sensitive files. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ericsson Mobile Switching Center Server (MSC-S) versions BC 18A and IS 3.1 through IS 3.1 CP21 **Description** The issue allows relative path traversal via a specific parameter in the https request after authentication, which enables access to files on the system that are not intended to be accessible via the web application. **Recommendations** For Ericsson Mobile Switching Center Server (MSC-S) versions BC 18A and IS 3.1 through IS 3.1 CP21, update to IS 3.1 CP22 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Ericsson Network Manager versions prior to 21.2 **Description** The issue allows users belonging to the same AMOS authorization group to retrieve data from certain log files, potentially leading to privilege escalation. All AMOS users are considered highly privileged in the ENM system and must be previously defined and authorized by the Security Administrator. These users can access log files under a common path and read stored information to conduct privilege escalation. **Recommendations** For versions prior to 21.2, consider restricting access to log files under the common path to minimize the risk of exploitation. As a temporary workaround, limit the privileges of AMOS users to prevent them from accessing sensitive information in the log files. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Metasys ADS/ADX/OAS versions prior to 10.1.6 Metasys ADS/ADX/OAS versions prior to 11.0.2 **Description** Under certain circumstances, an unauthenticated user could access the web API and enumerate users. **Recommendations** For Metasys ADS/ADX/OAS versions prior to 10.1.6, update to version 10.1.6 or later. For Metasys ADS/ADX/OAS versions prior to 11.0.2, update to version 11.0.2 or later.

**Name of the Vulnerable Software and Affected Versions** RESI Gemini-Net version 4.2 **Description** The issue allows unauthenticated remote attackers to inject arbitrary web script or HTML into an HTTP GET parameter that reflects user input without sanitization. This exists on numerous application endpoints. **Recommendations** For RESI Gemini-Net version 4.2, consider restricting access to the application endpoints until a patch is available. As a temporary workaround, avoid using the affected HTTP GET parameters that reflect user input without sanitization. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RESI Gemini-Net version 4.2 **Description** The issue is related to OS Command Injection, where the software does not properly check the parameters sent as input before they are processed on the server. Due to the lack of validation of user input, an unauthenticated attacker can bypass the syntax intended by the software and inject arbitrary system commands with the privileges of the application user. This can be achieved by concatenating commands, such as `&|;r` commands. **Recommendations** For RESI Gemini-Net version 4.2, consider implementing input validation to prevent arbitrary system command injection. As a temporary workaround, restrict access to the resi-calltrace component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RESI Gemini-Net Web version 4.2 **Description** The issue is related to Improper Access Control in authorization logic, allowing an unauthenticated user to access some critical resources. **Recommendations** For RESI Gemini-Net Web version 4.2, consider restricting access to critical resources until a patch is available. As a temporary workaround, review and tighten the authorization logic to prevent unauthorized access.

**Name of the Vulnerable Software and Affected Versions** Ericsson Network Manager versions prior to 21.2 **Description** The issue concerns incorrect access-control behavior, affecting users with highly privileged roles. It allows users within the same AMOS authorization group to retrieve managed-network data not intended for their access, specifically data restricted to a subset of the group. **Recommendations** For Ericsson Network Manager versions prior to 21.2, update to version 21.2 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Thruk versions prior to 2.44 Description: The issue allows for stored XSS, potentially enabling attackers to inject malicious scripts into the application. This could lead to unauthorized access or control of user sessions. Recommendations: For versions prior to 2.44, update to version 2.44 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive features or input fields to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Thruk versions 2.40-2 Description: The issue allows for Reflected XSS via the `host` or `service` parameter in the `/thruk/#cgi-bin/extinfo.cgi` API endpoint. An attacker could inject arbitrary JavaScript into extinfo.cgi, and the malicious payload would be triggered every time an authenticated user browses the page containing it. Recommendations: For Thruk versions 2.40-2, consider disabling access to the `/thruk/#cgi-bin/extinfo.cgi` API endpoint until a patch is available. Restrict the use of the `host` and `service` parameters to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Thruk versions 2.40 through 2 Description: The issue allows for Reflected XSS via the `host` or `title` parameter in the "/thruk/#cgi-bin/status.cgi" endpoint. An attacker could inject arbitrary JavaScript into status.cgi, which would be triggered every time an authenticated user browses the page containing it. Recommendations: For Thruk versions 2.40 through 2, as a temporary workaround, consider restricting access to the "/thruk/#cgi-bin/status.cgi" endpoint until a patch is available. Avoid using the `host` or `title` parameters in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** OSS-RC versions 18B and older **Description** The issue affects OSS-RC systems during data migration procedures, where files containing `usernames` and `passwords` are left undeleted in folders accessible by top privileged accounts only. This issue only affects products that are no longer supported by the maintainer. It is recommended that OSS-RC customers upgrade to Ericsson Network Manager, a new generation OSS system. **Recommendations** For OSS-RC versions 18B and older, consider upgrading to Ericsson Network Manager to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OSS-RC systems versions 18B and older **Description** The issue affects customer documentation browsing libraries under ALEX in OSS-RC systems, making them subject to Cross-Site Scripting. This problem is resolved in the new Ericsson library browsing tool ELEX used in systems like Ericsson Network Manager. The vulnerability only affects products that are no longer supported by the maintainer. **Recommendations** For OSS-RC systems versions 18B and older, upgrade to Ericsson Network Manager, which is a new generation OSS system and includes the resolved issue in its new library browsing tool ELEX.

**Name of the Vulnerable Software and Affected Versions** Oracle Business Intelligence Enterprise Edition versions 12.2.1.3.0 through 12.2.1.4.0 **Description** The issue is related to inadequate access control in the BI Platform Security component of Oracle Business Intelligence Enterprise Edition. This easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise the system. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products. The vulnerability can result in unauthorized read access to a subset of Oracle Business Intelligence Enterprise Edition accessible data. **Recommendations** For versions 12.2.1.3.0 and 12.2.1.4.0, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Business Intelligence Enterprise Edition versions 5.5.0.0.0, 12.2.1.3.0, 12.2.1.4.0 **Description** The issue is related to insufficient input validation in the Analytics Actions component of Oracle Business Intelligence Enterprise Edition. This can be exploited by a remote attacker to gain unauthorized access to protected information or cause a partial denial of service using the HTTP protocol. Successful attacks may require human interaction and can impact additional products, resulting in unauthorized access to data and potential partial denial of service. **Recommendations** For version 5.5.0.0.0, update to a version that includes the fix for this issue. For version 12.2.1.3.0, update to a version that includes the fix for this issue. For version 12.2.1.4.0, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the Analytics Actions component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Oracle Fusion Middleware BI Publisher versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 **Description** The issue is related to insufficient input validation in the BI Publisher Security component. It allows an unauthenticated attacker with network access via HTTP to compromise BI Publisher, potentially leading to unauthorized access to critical data or complete access to all BI Publisher accessible data. Successful attacks may also result in unauthorized update, insert, or delete access to some of BI Publisher's accessible data. The attack requires human interaction from a person other than the attacker and can significantly impact additional products. **Recommendations** For versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, and 12.2.1.4.0, consider restricting access to the BI Publisher Security component until a patch is available. As a temporary workaround, limit the use of HTTP protocol for sensitive operations in BI Publisher. Restrict access to critical data and ensure that only authorized personnel can update, insert, or delete data in BI Publisher. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Business Intelligence Enterprise Edition versions 5.5.0.0.0 through 12.2.1.4.0 **Description** The issue is related to insufficient access control in the Analytics Actions component of Oracle Business Intelligence Enterprise Edition. This can be exploited by a remote attacker to gain read, modify, add, or delete access to data using the HTTP protocol. Successful attacks may require human interaction and can significantly impact additional products, resulting in unauthorized access to critical data or complete access to all accessible data, as well as unauthorized update, insert, or delete access to some accessible data. **Recommendations** For versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, and 12.2.1.4.0, consider restricting access to the Analytics Actions component until a patch is available. As a temporary workaround, consider disabling the `Analytics Actions` component to minimize the risk of exploitation. Restrict access to the vulnerable `Oracle Business Intelligence Enterprise Edition` to minimize the risk of unauthorized data access.