Andrés Roldán

**Name of the Vulnerable Software and Affected Versions** CyberArk Identity versions up to and including 22.1 **Description** The issue exposes the response header `X-CFY-TX-TM` in the 'StartAuthentication' resource. In certain configurations, this response header contains different, predictable value ranges which can be used to determine whether a user exists in the tenant. **Recommendations** For versions up to and including 22.1, consider restricting access to the 'StartAuthentication' resource to minimize the risk of exploitation. As a temporary workaround, avoid relying on the `X-CFY-TX-TM` response header for authentication purposes until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Flexense DupScout Enterprise version 10.0.18 **Description** A buffer overflow in the web server of Flexense DupScout Enterprise allows a remote anonymous attacker to execute code as SYSTEM by overflowing the `sid` parameter via a GET "/settings&sid=" attack. **Recommendations** For Flexense DupScout Enterprise version 10.0.18, consider disabling the web server or restricting access to the "/settings" endpoint until a patch is available. Avoid using the `sid` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.