Amichai Shulman

**Name of the Vulnerable Software and Affected Versions** macOS Big Sur versions prior to 11.0.1 iOS (affected versions not specified) **Description** A lock screen issue allowed access to contacts on a locked device. This issue was addressed with improved state management. A person with physical access to an iOS device may be able to access contacts from the lock screen. **Recommendations** For macOS Big Sur, update to version 11.0.1 or later to resolve the issue. For iOS, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** macOS versions prior to 10.15.4 **Description** A logic issue was addressed with improved state management, which could allow a local user to view sensitive user information. **Recommendations** For versions prior to 10.15.4, update to macOS Catalina 10.15.4 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Windows versions prior to the fixed version Windows 7 Windows Server 2012 R2 Windows RT 8.1 Windows Server 2008 Windows Server 2012 Windows 8.1 Windows Server 2016 Windows Server 2008 R2 Windows 10 Windows 10 Servers **Description** An information disclosure issue exists due to the Windows bowser.sys kernel-mode driver's failure to properly handle objects in memory. This could allow an attacker to access the contents of system memory, potentially obtaining sensitive information and affecting the system. **Recommendations** For Windows 7, update to a newer version that contains a fix for this issue. For Windows Server 2012 R2, update to a newer version that contains a fix for this issue. For Windows RT 8.1, update to a newer version that contains a fix for this issue. For Windows Server 2008, update to a newer version that contains a fix for this issue. For Windows Server 2012, update to a newer version that contains a fix for this issue. For Windows 8.1, update to a newer version that contains a fix for this issue. For Windows Server 2016, update to a newer version that contains a fix for this issue. For Windows Server 2008 R2, update to a newer version that contains a fix for this issue. For Windows 10, update to a newer version that contains a fix for this issue. For Windows 10 Servers, update to a newer version that contains a fix for this issue. As a temporary workaround, consider restricting access to the bowser.sys kernel-mode driver until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Windows Server 2016 Windows 10 **Description** The issue is related to an elevation of privilege vulnerability in Microsoft Cortana, which allows arbitrary website browsing on the lockscreen. This is due to insufficient access restrictions in the virtual voice assistant Cortana in Windows operating systems. The exploitation of this issue may allow an attacker to elevate their privileges. **Recommendations** For Windows Server 2016 and Windows 10, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Windows 10 (affected versions not specified) Windows 10 Servers (affected versions not specified) **Description** An Elevation of Privilege issue exists due to Cortana retrieving data from user input services without considering status. This allows attackers to affect the system. There is no information provided about the estimated number of potentially affected devices worldwide or details about real-world incidents where this issue was exploited. **Recommendations** For Windows 10 and Windows 10 Servers, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Database server versions 8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, and 9.2.0.7 **Description** The issue is related to an unspecified vulnerability in the Net Listener component of the Oracle Database server. The impact and attack vectors of this issue are not specified. **Recommendations** For Oracle Database server version 8.1.7.4, update to a version that includes the fix for this issue. For Oracle Database server version 9.0.1.5, update to a version that includes the fix for this issue. For Oracle Database server version 9.0.1.5 FIPS, update to a version that includes the fix for this issue. For Oracle Database server version 9.2.0.7, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Database server versions 9.2.0.6 and 10.1.0.4 **Description** The issue is related to an unspecified vulnerability in the Query Optimizer component of the Oracle Database server. The impact and attack vectors of this issue are not specified. **Recommendations** For Oracle Database server version 9.2.0.6, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For Oracle Database server version 10.1.0.4, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Database server versions 10.1.0.5 through 10.2.0.1 **Description** The issue is related to an unspecified vulnerability in the Streams Capture component, potentially allowing SQL injection in the SET DIRECTORY ROOT function within the DBMS CDC PUBLISH package. Details about the vulnerability are limited due to unavailability from Oracle. **Recommendations** For Oracle Database server versions 10.1.0.5 through 10.2.0.1, consider restricting access to the DBMS CDC PUBLISH package as a temporary mitigation measure until a patch is available. Avoid using the SET DIRECTORY ROOT function in the affected package to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Database server versions 8.1.7.4, 9.0.1.5, 9.2.0.7, and 10.1.0.4 **Description** The issue is related to an unspecified vulnerability in the Upgrade & Downgrade component, potentially allowing SQL injection in the DBMS REGISTRY package. This affects certain parameters to the following functions: (1) IS COMPONENT, (2) GET COMP OPTION, (3) DISABLE DDL TRIGGERS, (4) SCRIPT EXISTS, (5) COMP PATH, (6) GATHER STATS, (7) NOTHING SCRIPT, and (8) VALIDATE COMPONENTS. The estimated number of potentially affected devices and details about real-world incidents are not available. **Recommendations** For Oracle Database server version 8.1.7.4, consider disabling the DBMS REGISTRY package until a patch is available. For Oracle Database server version 9.0.1.5, restrict access to the DBMS REGISTRY package to minimize the risk of exploitation. For Oracle Database server version 9.2.0.7, avoid using the vulnerable functions in the DBMS REGISTRY package until the issue is resolved. For Oracle Database server version 10.1.0.4, consider applying configuration changes to limit the impact of the vulnerability, such as restricting access to the affected parameters.

**Name of the Vulnerable Software and Affected Versions** Oracle Application Server versions 9.0.4.2 through 10.1.2.0 **Description** The issue concerns an unspecified vulnerability in the Portal component of Oracle Application Server. Details about the impact and attack vectors of this issue are not specified. **Recommendations** For versions 9.0.4.2 through 10.1.2.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Application Server versions 9.0.4.2 and 10.1.2.0.2 **Description** The issue concerns an unspecified vulnerability in the Oracle Reports Developer component. Details about the impact and attack vectors of this issue are not provided. **Recommendations** For Oracle Application Server version 9.0.4.2, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For Oracle Application Server version 10.1.2.0.2, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Collaboration Suite version 9.0.4.2 **Description** The issue affects multiple components of Oracle Collaboration Suite, including the Email Server, Oracle Collaboration Suite Wireless & Voice, Oracle Content Management SDK, and Oracle Content Services. The vulnerabilities have unspecified impact and attack vectors. **Recommendations** For Oracle Collaboration Suite version 9.0.4.2, update to a version that addresses the identified vulnerabilities. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Suite and Applications version 11.5.9 **Description** The issue affects Oracle E-Business Suite and Applications, with unspecified vulnerabilities identified in several components, including the CRM Technical Foundation, iProcurement, and Oracle Application Object Library. These vulnerabilities have unspecified impact and attack vectors. **Recommendations** For Oracle E-Business Suite and Applications version 11.5.9, apply the fixes provided by Oracle for the identified vulnerabilities in the CRM Technical Foundation, iProcurement, and Oracle Application Object Library components. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Suite and Applications version 4.3 **Description** The issue concerns multiple unspecified vulnerabilities in the Oracle iLearning component, which have unspecified impact and attack vectors. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle PeopleSoft Enterprise Portal versions 8.4 Bundle 15, 8.8 Bundle 10, 8.9 Bundle 2 **Description** The issue affects Oracle PeopleSoft Enterprise Portal with unspecified impact and attack vectors. **Recommendations** For Oracle PeopleSoft Enterprise Portal versions 8.4 Bundle 15, 8.8 Bundle 10, and 8.9 Bundle 2, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Database Server version 10.1.0.4.2 Oracle Application Server version 10.1.2.0.2 Oracle Collaboration Suite Release 2 version 9.0.4.2 (Oracle9i) **Description** The issue affects the Reorganize Objects & Convert Tablespace component and has an unspecified impact and attack vectors. **Recommendations** For Oracle Database Server version 10.1.0.4.2, update to a version that addresses this issue. For Oracle Application Server version 10.1.2.0.2, update to a version that addresses this issue. For Oracle Collaboration Suite Release 2 version 9.0.4.2 (Oracle9i), update to a version that addresses this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Database Server version 10.2.0.1 Oracle Application Server versions 9.0.4.2 and 10.1.2.1 Oracle Collaboration Suite Release 2 version 9.0.4.2 (Oracle9i) Oracle E-Business Suite and Applications version 11.5.10 **Description** The issue concerns multiple unspecified vulnerabilities in various Oracle products, including Database Server, Application Server, Collaboration Suite, and E-Business Suite. These vulnerabilities are identified by Oracle Vuln# (1) WF02 and (2) WF03 in the Oracle Workflow Cartridge component. The impact and attack vectors of these vulnerabilities are not specified. **Recommendations** For Oracle Database Server version 10.2.0.1, update to a version that includes the fix for the Oracle Workflow Cartridge component vulnerabilities. For Oracle Application Server versions 9.0.4.2 and 10.1.2.1, update to a version that includes the fix for the Oracle Workflow Cartridge component vulnerabilities. For Oracle Collaboration Suite Release 2 version 9.0.4.2 (Oracle9i), update to a version that includes the fix for the Oracle Workflow Cartridge component vulnerabilities. For Oracle E-Business Suite and Applications version 11.5.10, update to a version that includes the fix for the Oracle Workflow Cartridge component vulnerabilities.

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Suite and Applications version 11.5.10 **Description** The issue affects various components of Oracle E-Business Suite and Applications, including the Application Install, Oracle Applications Framework, Oracle Applications Technology Stack, Oracle Human Resources, Oracle Marketing, Marketing Encyclopedia System, Oracle Trade Management, and Oracle Web Applications Desktop Integration components. The vulnerabilities have unspecified impact and attack vectors. **Recommendations** For Oracle E-Business Suite and Applications version 11.5.10, apply the patches or fixes provided by Oracle for the respective components to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Database server versions 8.1.7.4 and 9.0.1.5 **Description** The issue allows remote attackers to bypass security restrictions, execute arbitrary SQL commands, and gain access to sensitive data. The Connection Manager component is affected, but specific details about the impact and attack vectors are not provided. **Recommendations** For Oracle Database server version 8.1.7.4, update to a version that addresses the security restrictions bypass and arbitrary SQL command execution issues. For Oracle Database server version 9.0.1.5, update to a version that addresses the security restrictions bypass and arbitrary SQL command execution issues. As a temporary workaround, consider restricting access to sensitive data and limiting the execution of SQL commands until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Oracle Database server version 10.1.0.5 **Description** The issue affects the Oracle Database server and involves multiple unspecified vulnerabilities in various components, including the Data Pump, Net Listener, and Oracle Text components. Specifically, it is claimed by a reliable independent researcher that one of the vulnerabilities, DB06, is a SQL injection issue in certain functions within the DBMS DATAPUMP module, including `GENERATE JOB NAME`, `GET WORKERSTATUSLIST1010`, `GET PARAMVALUES1010`, `GET DUMPFILESET1010`, `GET JOBSTATUS1010`, `ATTACH`, and `ESTABLISH REMOTE CONTEXT`. The exact impact and attack vectors are not specified due to unavailable details from Oracle. **Recommendations** For Oracle Database server version 10.1.0.5, as a temporary workaround, consider restricting access to the affected functions in the DBMS DATAPUMP module, specifically `GENERATE JOB NAME`, `GET WORKERSTATUSLIST1010`, `GET PARAMVALUES1010`, `GET DUMPFILESET1010`, `GET JOBSTATUS1010`, `ATTACH`, and `ESTABLISH REMOTE CONTEXT`, until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.