Andrej Simko

**Name of the Vulnerable Software and Affected Versions** PaperCut NG/MF (affected versions not specified) **Description** A reflected cross-site scripting (XSS) issue exists, allowing specially crafted JavaScript payloads to be executed in the browser. This occurs when a user clicks on a malicious link. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Suite versions 12.2.3 through 12.2.11 **Description** The issue is related to insufficient input validation in the Instance Main component of Oracle Installed Base, allowing an unauthenticated attacker with network access via HTTP to compromise Oracle Installed Base. Successful attacks can result in the unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Installed Base. **Recommendations** For versions 12.2.3 through 12.2.11, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Oracle E-Business Suite versions 12.1.3 and 12.2.3 through 12.2.10 Description: The issue allows a low-privileged attacker with network access via HTTP to compromise Oracle Applications Manager, requiring human interaction from a person other than the attacker. Successful attacks can result in unauthorized access to some of Oracle Applications Manager's data, including update, insert, or delete access, as well as unauthorized read access. Additionally, attacks may cause a partial denial of service of Oracle Applications Manager. Recommendations: For versions 12.1.3 and 12.2.3 through 12.2.10, update to a version that includes a fix for this issue to prevent unauthorized access and potential denial of service.

Name of the Vulnerable Software and Affected Versions: Oracle E-Business Suite versions 12.1.3 and 12.2.3 through 12.2.10 Description: The issue allows an unauthenticated attacker with network access via HTTP to compromise Oracle Applications Manager, which is a component of Oracle E-Business Suite. Successful attacks require human interaction from a person other than the attacker. Although the vulnerability is in Oracle Applications Manager, attacks may significantly impact additional products. This can result in unauthorized update, insert, or delete access to some of Oracle Applications Manager's accessible data. Recommendations: For versions 12.1.3 and 12.2.3 through 12.2.10, update to a version that contains a fix for this issue to prevent unauthorized access to Oracle Applications Manager's data. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Oracle E-Business Suite versions 12.1.3 and 12.2.3 through 12.2.10 Description: The issue allows an unauthenticated attacker with network access via HTTP to compromise Oracle Applications Manager, specifically the View Reports component. Successful attacks require human interaction from a person other than the attacker. This can result in unauthorized update, insert, or delete access to some of Oracle Applications Manager's accessible data, as well as unauthorized read access to a subset of Oracle Applications Manager's accessible data. The impact of such attacks may significantly affect additional products. Recommendations: For versions 12.1.3, update to a version that includes the fix for this issue. For versions 12.2.3 through 12.2.10, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the View Reports component in Oracle Applications Manager until a patch is available.

Name of the Vulnerable Software and Affected Versions: Oracle E-Business Suite versions 12.1.1 through 12.1.3 Description: The issue is related to inadequate access control in the Bill Issues component of the Oracle Bills of Material product. It allows a low-privileged attacker with network access via HTTP to compromise the system. Successful attacks can result in unauthorized creation, deletion, or modification of critical data, as well as unauthorized access to sensitive information. Recommendations: For versions 12.1.1 through 12.1.3, update to a version that includes the fix for this issue to prevent unauthorized access and data modification. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Oracle E-Business Suite versions 12.1.1 through 12.1.3 Oracle E-Business Suite versions 12.2.3 through 12.2.10 Description: The issue is related to inadequate access control in the Oracle Knowledge Management component of Oracle E-Business Suite. This can be exploited by a remote attacker to modify, add, or delete data, and gain unauthorized access to protected information. Successful attacks may significantly impact additional products and can result in unauthorized access to critical data or complete access to all Oracle Knowledge Management accessible data. Recommendations: For versions 12.1.1 through 12.1.3, update to a version outside of this range to mitigate the risk. For versions 12.2.3 through 12.2.10, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the Oracle Knowledge Management component until a patch is available.

Name of the Vulnerable Software and Affected Versions: Oracle E-Business Suite versions 12.1.1 through 12.1.3 Oracle E-Business Suite versions 12.2.3 through 12.2.10 Description: The issue is related to inadequate access control in the Shopping Cart component of Oracle iStore, allowing an unauthenticated attacker with network access via HTTP to compromise the system. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products. This can result in unauthorized access to critical data, complete access to all Oracle iStore accessible data, as well as unauthorized update, insert, or delete access to some of Oracle iStore accessible data. Recommendations: For versions 12.1.1 through 12.1.3, update to a version outside of this range to mitigate the risk. For versions 12.2.3 through 12.2.10, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the Shopping Cart component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Suite versions 12.1.1 through 12.1.3 Oracle E-Business Suite versions 12.2.3 through 12.2.10 **Description** The issue is related to errors in the code of the Template and GTIN search subcomponents of the Oracle Product Hub component. It allows a low-privileged attacker with network access via HTTP to compromise Oracle Product Hub. Successful attacks can result in unauthorized creation, deletion, or modification access to critical data or all Oracle Product Hub accessible data, as well as unauthorized access to critical data or complete access to all Oracle Product Hub accessible data. **Recommendations** For versions 12.1.1 through 12.1.3, update to a version outside of this range to mitigate the risk. For versions 12.2.3 through 12.2.10, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the Template and GTIN search subcomponents of the Oracle Product Hub component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Suite versions 12.1.1 through 12.1.3 Oracle E-Business Suite versions 12.2.3 through 12.2.10 **Description** The issue affects the Oracle Engineering product, allowing a low-privileged attacker with network access via HTTP to compromise Oracle Engineering. Successful attacks can result in unauthorized access to critical data or all accessible data, including creation, deletion, or modification of data. **Recommendations** For versions 12.1.1 through 12.1.3, update to a version outside of this range to resolve the issue. For versions 12.2.3 through 12.2.10, update to a version outside of this range to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Oracle E-Business Suite versions 12.1.3 and 12.2.3 through 12.2.10 Description: The issue is related to insufficient access control in the Attribute Admin Setup component of the Oracle Partner Management product. This can be exploited by a remote attacker to modify, add, or delete data, and gain unauthorized access to sensitive information. The attack requires some interaction from a person other than the attacker and can significantly impact additional products, potentially leading to unauthorized access to critical data or complete access to all accessible data in Oracle Partner Management. Recommendations: For versions 12.1.3 and 12.2.3 through 12.2.10, update to a version that includes the fix for this issue to prevent exploitation. As a temporary workaround, consider restricting access to the Attribute Admin Setup component until a patch is available. Restrict network access via HTTP to the Oracle Partner Management product to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Oracle MySQL Server versions 8.0.23 and prior **Description** The issue is related to insufficient input validation in the Server: DML component of Oracle MySQL Server. It allows a high-privileged attacker with network access via multiple protocols to compromise the MySQL Server. Successful attacks can result in the unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of the MySQL Server. **Recommendations** For versions 8.0.23 and prior, update to a version later than 8.0.23 to resolve the issue. At the moment, there is no information about additional mitigation measures for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle iStore versions 12.1.1 through 12.1.3 Oracle iStore versions 12.2.3 through 12.2.10 **Description** The issue is related to insufficient access control in the Shopping Cart component of Oracle iStore, allowing a remote attacker to modify, add, or delete data, or gain full control over the application via the HTTP protocol. Successful attacks require human interaction and may significantly impact additional products, resulting in unauthorized access to critical data or complete access to all Oracle iStore accessible data, as well as unauthorized update, insert, or delete access to some of Oracle iStore accessible data. **Recommendations** For Oracle iStore versions 12.1.1 through 12.1.3, update to a version outside of this range to mitigate the risk. For Oracle iStore versions 12.2.3 through 12.2.10, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the Shopping Cart component until a patch is available. Restrict access to sensitive data and implement additional security measures to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Suite (component: Shopping Cart) versions 12.1.1 through 12.1.3 Oracle E-Business Suite (component: Shopping Cart) versions 12.2.3 through 12.2.10 **Description** The issue is related to inadequate access control in the Shopping Cart component of Oracle iStore, allowing an unauthenticated attacker with network access via HTTP to compromise the system. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products. This can result in unauthorized access to critical data, complete access to all Oracle iStore accessible data, as well as unauthorized update, insert, or delete access to some of Oracle iStore accessible data. **Recommendations** For versions 12.1.1 through 12.1.3, update to a version outside of this range to mitigate the risk. For versions 12.2.3 through 12.2.10, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the Shopping Cart component until a patch is available. Restrict access to sensitive data and implement additional monitoring to detect potential exploitation attempts.

**Name of the Vulnerable Software and Affected Versions** Oracle MySQL Server versions 8.0.23 and prior **Description** The issue is related to insufficient input validation in the Server: Optimizer component of Oracle MySQL Server. It allows a high-privileged attacker with network access via multiple protocols to compromise the MySQL Server. Successful attacks can result in the unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of the MySQL Server. **Recommendations** For Oracle MySQL Server versions 8.0.23 and prior, update to a version later than 8.0.23 to resolve the issue. As a temporary workaround, consider restricting network access to the MySQL Server to minimize the risk of exploitation. Additionally, ensure that all inputs to the Server: Optimizer component are thoroughly validated to prevent potential attacks.

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Suite versions 12.1.1 through 12.1.3 Oracle E-Business Suite versions 12.2.3 through 12.2.10 **Description** The issue is related to insufficient access control in the Shopping Cart component of Oracle iStore, allowing an unauthenticated attacker with network access via HTTP to compromise Oracle iStore. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products. This can result in unauthorized access to critical data or complete access to all Oracle iStore accessible data, as well as unauthorized update, insert, or delete access to some of Oracle iStore accessible data. **Recommendations** For versions 12.1.1 through 12.1.3, update to a version that includes the fix for this issue. For versions 12.2.3 through 12.2.10, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the Shopping Cart component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Oracle iStore versions 12.1.1 through 12.1.3 Oracle iStore versions 12.2.3 through 12.2.10 **Description** The issue is related to insufficient access control in the Shopping Cart component of Oracle iStore, allowing a remote attacker to modify, add, or delete data, or gain full control over the application via the HTTP protocol. Successful attacks require human interaction and can significantly impact additional products, resulting in unauthorized access to critical data or complete access to all Oracle iStore accessible data. **Recommendations** For versions 12.1.1 through 12.1.3, update to a version outside of this range to resolve the issue. For versions 12.2.3 through 12.2.10, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting access to the Shopping Cart component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Suite versions 12.1.1 through 12.1.3 Oracle E-Business Suite versions 12.2.3 through 12.2.10 **Description** The issue is related to insufficient access control in the Shopping Cart component of Oracle iStore, allowing an unauthenticated attacker with network access via HTTP to compromise the system. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products. This can result in unauthorized access to critical data, complete access to all Oracle iStore accessible data, as well as unauthorized update, insert, or delete access to some of Oracle iStore accessible data. **Recommendations** For versions 12.1.1 through 12.1.3, update to a version outside of this range to mitigate the risk. For versions 12.2.3 through 12.2.10, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the Shopping Cart component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Oracle iStore versions 12.1.1 through 12.1.3 Oracle iStore versions 12.2.3 through 12.2.10 **Description** The issue is related to insufficient access control in the Shopping Cart component of Oracle iStore, allowing a remote attacker to modify, add, or delete data, or gain full control over the application via the HTTP protocol. Successful attacks require human interaction and can significantly impact additional products, resulting in unauthorized access to critical data or complete access to all Oracle iStore accessible data. **Recommendations** For Oracle iStore versions 12.1.1 through 12.1.3, update to a version outside of this range to resolve the issue. For Oracle iStore versions 12.2.3 through 12.2.10, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting access to the Shopping Cart component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Suite versions 12.2.10 **Description** The issue is related to insufficient input validation in the Home page component of the Oracle Applications Framework. This allows an unauthenticated attacker with network access via HTTP to compromise the Oracle Applications Framework, resulting in unauthorized creation, deletion, or modification access to critical data or all accessible data, as well as unauthorized access to critical data or complete access to all accessible data. **Recommendations** For version 12.2.10, update to a version that includes the fix for this issue to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.