Andrea Carlo Maria Dattola

**Name of the Vulnerable Software and Affected Versions** Eclipse Glassfish versions prior to 7.0.17 **Description** The Host HTTP parameter could cause the web application to redirect to the specified URL when the requested endpoint is "/management/domain". By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. **Recommendations** For Eclipse Glassfish versions prior to 7.0.17, as a temporary workaround, consider restricting access to the "/management/domain" endpoint until a patch is available. Avoid using the Host HTTP parameter in the affected endpoint to minimize the risk of exploitation. Update to version 7.0.17 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** LIVEBOX Collaboration vDesk versions through v018 **Description** An issue in the web application allows Stored Cross-site Scripting (XSS) to occur under the "/api/v1/getbodyfile" endpoint via the `uri` parameter. The application does not properly check parameters sent in HTTP requests before saving them on the server. Crafted JavaScript content can then be reflected back to the end user and executed by the web browser. **Recommendations** For versions through v018, as a temporary workaround, consider restricting access to the "/api/v1/getbodyfile" endpoint to minimize the risk of exploitation. Avoid using the `uri` parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SELESTA Visual Access Manager version 4.38.6 **Description** An issue in SELESTA Visual Access Manager allows attackers to modify the `computer` POST parameter related to the ID of a specific reception by POST HTTP request interception. This can lead to unauthorized access to the application and control of many other receptions beyond the assigned one. The issue can be exploited via local network only. **Recommendations** For SELESTA Visual Access Manager version 4.38.6, restrict local network access and monitor logs until a patch is available. As a temporary workaround, consider restricting access to the `computer` POST parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** LIVEBOX Collaboration vDesk versions through v031 **Description** An issue was discovered allowing a URL Redirection to an Untrusted Site (Open Redirect) under the "/api/v1/notification/createnotification" endpoint. This enables an authenticated user to send an arbitrary push notification to any other user of the system, which can include an invisible clickable link. **Recommendations** For versions through v031, as a temporary workaround, consider restricting access to the "/api/v1/notification/createnotification" endpoint until a patch is available. Additionally, limiting the ability to send push notifications to only trusted users may help minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LIVEBOX Collaboration vDesk versions through v031 **Description** A basic XSS issue exists under the "/api/v1/vdeskintegration/todo/createorupdate" endpoint via the `title` parameter and "/dashboard/reminders". A remote user, authenticated to the product, can store arbitrary HTML code in the reminder section title to corrupt the web page, potentially creating phishing sections to exfiltrate victims' credentials. **Recommendations** For versions through v031, as a temporary workaround, consider restricting access to the "/api/v1/vdeskintegration/todo/createorupdate" endpoint and the "/dashboard/reminders" page to minimize the risk of exploitation. Avoid using the `title` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Nokia NetAct version 22 **Description** An issue was discovered in the Site Configuration Tool website section, where a malicious user can change the filename of an uploaded file to include JavaScript code. This code is then stored and executed by a victim's web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to victims. The API endpoint "/netact/sct" with the `filename` parameter is used for this purpose. **Recommendations** For Nokia NetAct version 22, consider disabling the ability to upload files through the Site Configuration Tool website section until a patch is available. Restrict access to the "/netact/sct" API endpoint to minimize the risk of exploitation. Avoid using the `filename` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Nokia NetAct version 22 **Description** A remote user, authenticated to the website, can visit the Site Configuration Tool section and arbitrarily upload potentially dangerous files without restrictions via the "/netact/sct" dir parameter in conjunction with the `operation`=`upload` value. **Recommendations** For Nokia NetAct version 22, restrict access to the "/netact/sct" endpoint to prevent arbitrary file uploads until a patch is available. As a temporary workaround, consider disabling the file upload functionality in the Site Configuration Tool section to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Nokia NetAct version 22 **Description** An issue was discovered in the Administration of Measurements website section, where a malicious user can edit or add the `templateName` parameter to include malicious code. This code is then downloaded as a .csv or .xlsx file and executed on a victim machine. The issue involves the "/aom/html/EditTemplate.jsf" and "/aom/html/ViewAllTemplatesPage.jsf" API endpoints, where the `templateName` parameter is used. **Recommendations** For Nokia NetAct version 22, as a temporary workaround, consider restricting access to the "/aom/html/EditTemplate.jsf" and "/aom/html/ViewAllTemplatesPage.jsf" API endpoints to minimize the risk of exploitation. Avoid using the `templateName` parameter in these endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Nokia NetAct version 22 **Description** An issue was discovered in the Administration of Measurements website section, where a malicious user can edit or add the `templateName` parameter to include JavaScript code. This code is then stored and executed by a victim's web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to victims. The "/aom/html/EditTemplate.jsf" and "/aom/html/ViewAllTemplatesPage.jsf" `templateName` parameter is used. **Recommendations** As a temporary workaround, consider disabling the use of the `templateName` parameter in the affected API endpoints until a patch is available. Restrict access to the "/aom/html/EditTemplate.jsf" and "/aom/html/ViewAllTemplatesPage.jsf" endpoints to minimize the risk of exploitation. Avoid using the `templateName` parameter in these endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ericsson Network Manager (ENM) versions prior to 22.2 **Description** The issue concerns a vulnerability in the REST endpoint "editprofile" where Open Redirect HTTP Header Injection can occur, potentially leading to the redirection of submitted requests to domains outside the control of the ENM deployment. An attacker would need admin or elevated access to exploit this issue. **Recommendations** For versions prior to 22.2, update to version 22.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the "editprofile" endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** LIVEBOX Collaboration vDesk versions through v018 **Description** An issue allows an Insecure Direct Object Reference to occur under the "5.6.5-3/doc/{ID-FILE}/c/{N}/{C}/websocket" endpoint. A malicious unauthenticated user can access cached files in the OnlyOffice backend of other users by guessing the `ID-FILE` of a target file. **Recommendations** For LIVEBOX Collaboration vDesk versions through v018, as a temporary workaround, consider restricting access to the "5.6.5-3/doc/{ID-FILE}/c/{N}/{C}/websocket" endpoint until a patch is available. Avoid using the `ID-FILE` parameter in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LIVEBOX Collaboration vDesk versions through v018 **Description** An issue exists in the software due to Broken Access Control. This issue affects several API endpoints: "/api/v1/vdeskintegration/saml/user/createorupdate", "/settings/guest-settings", "/settings/samlusers-settings", and "/settings/users-settings". A malicious user who is already logged in as a SAML User can escalate privileges from a low-privilege user (FGM user) to an administrative user (GGU user), including the administrator, or create new users without needing an admin role. **Recommendations** For LIVEBOX Collaboration vDesk versions through v018, as a temporary workaround, consider restricting access to the affected API endpoints until a patch is available. Additionally, restrict the ability to create new users and limit privilege escalation to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LIVEBOX Collaboration vDesk versions prior to v018 **Description** An issue was discovered in the web application, allowing Broken Access Control to occur under the "/api/v1/registration/validateEmail" endpoint, the "/api/v1/vdeskintegration/user/adduser" endpoint, and the "/api/v1/registration/changePasswordUser" endpoint. The application is affected by flaws in authorization logic, enabling a malicious user with no privileges to perform privilege escalation to the administrator role and steal the accounts of any users on the system. **Recommendations** For versions prior to v018, update to version v018 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/api/v1/registration/validateEmail", "/api/v1/vdeskintegration/user/adduser", and "/api/v1/registration/changePasswordUser" endpoints until a patch is available. Additionally, monitor user activity and permissions closely to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Ericsson Evolved Packet Gateway (EPG) versions 2.x before 2.16 Ericsson Evolved Packet Gateway (EPG) versions 3.x before 3.25 **Description** The issue is related to the command-line interface (CLI) of the Ericsson Evolved Packet Gateway (EPG) and is associated with access control deficiencies. Exploitation of the issue may allow a remote attacker to execute arbitrary commands. Authenticated users can bypass the system CLI and execute commands they are authorized to execute directly in the UNIX shell. **Recommendations** For Ericsson Evolved Packet Gateway (EPG) versions 2.x before 2.16, update to version 2.16 or later to resolve the issue. For Ericsson Evolved Packet Gateway (EPG) versions 3.x before 3.25, update to version 3.25 or later to resolve the issue. As a temporary workaround, consider restricting access to the CLI to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Nokia AirFrame BMC Web GUI versions prior to R18 Firmware v4.13.00 **Description** A security issue was found in the software, related to improper access control. It does not correctly validate requests to access or edit data and functionality in certain API endpoints, such as "/#settings/*" and "/api/settings/*". This allows a potential attacker to view sensitive data and modify system configurations, which could lead to denial of service (DoS), without being checked for user identity or permissions. **Recommendations** For Nokia AirFrame BMC Web GUI versions prior to R18 Firmware v4.13.00, update to R18 Firmware v4.13.00 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/#settings/*" and "/api/settings/*" endpoints to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Nokia NetAct version 18A **Description** A malicious user can modify the filename of an uploaded file to include JavaScript code. This code is then stored and executed by a victim's web browser. The issue can be exploited by including malicious content as a parameter in a URL, which is then posted publicly or e-mailed to victims. Specifically, the `/netact/sct` API endpoint is used, with the `filename` parameter being vulnerable. **Recommendations** For Nokia NetAct version 18A, consider disabling the ability to upload files or restricting access to the `/netact/sct` API endpoint until a fix is available. Additionally, avoid using the `filename` parameter in the affected API endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Nokia NetAct version 18A **Description** A remote user, authenticated to the Nokia NetAct Web Page, can upload potentially dangerous files without restrictions. This is achieved by visiting the Site Configuration Tool web site section and using the `/netact/sct` API endpoint with the `dir` parameter in conjunction with the `operation=upload` value. **Recommendations** For Nokia NetAct version 18A, restrict access to the `/netact/sct` API endpoint to prevent arbitrary file uploads until a fix is available. As a temporary workaround, consider disabling the file upload functionality via the `operation=upload` value to minimize the risk of exploitation.