Alexis Pain

**Name of the Vulnerable Software and Affected Versions** ViewerJS version 0.5.8 **Description** An issue was discovered in ViewerJS where a script from the component loads content via URL TAGs without properly sanitizing it, leading to both open redirection and out-of-band resource loading. **Recommendations** For ViewerJS version 0.5.8, consider disabling the script that loads content via URL TAGs until a patch is available. Restrict access to the component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Telindus Apsal version 3.14.2022.235 b **Description** An issue was discovered in the Open Document feature, allowing an attacker to upload a crafted file and execute arbitrary code. **Recommendations** For Telindus Apsal version 3.14.2022.235 b, consider disabling the Open Document feature until a patch is available to prevent the execution of arbitrary code by an attacker.

**Name of the Vulnerable Software and Affected Versions** Telindus Apsal version 3.14.2022.235 b **Description** An issue was discovered that allows unauthorized actions, which could modify the application's behavior, and these actions may not be blocked. **Recommendations** For Telindus Apsal version 3.14.2022.235 b, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Telindus Apsal version 3.14.2022.235 b **Description** An issue was discovered in the consultation permission, which is insecure. **Recommendations** For Telindus Apsal version 3.14.2022.235 b, consider restricting access to the consultation permission to minimize the risk of exploitation until a fix is available. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Talend Administration Center version 7.3.1.20200219 **Description** The Forgot Password feature in the affected software provides different error messages for invalid reset attempts depending on whether the email address is associated with any account. This allows remote attackers to enumerate accounts via a series of requests to the Forgot Password feature. **Recommendations** For Talend Administration Center version 7.3.1.20200219, update to a version that includes the fix for the issue, specifically after TAC-15950, to resolve the account enumeration vulnerability. As a temporary workaround, consider restricting access to the Forgot Password feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GFOS Workforce Management version 4.8.272.1 **Description** The login page of the application is prone to authentication bypass, allowing anyone who knows a user's credentials except the password to get access to an account. This occurs because of JSESSIONID mismanagement. **Recommendations** For GFOS Workforce Management version 4.8.272.1, consider temporarily restricting access to the login page until a patch is available. As a mitigation measure, review and manage JSESSIONID properly to prevent mismanagement. At the moment, there is no information about a newer version that contains a fix for this vulnerability.