Andrey Medov

**Name of the Vulnerable Software and Affected Versions** FortiWeb versions 6.3.7 and below FortiWeb versions 6.2.3 and below FortiWeb versions 6.1.x FortiWeb versions 6.0.x FortiWeb versions 5.9.x **Description** The issue is an OS command injection vulnerability in FortiWeb's management interface. This vulnerability may allow a remote authenticated attacker to execute arbitrary commands on the system via the SAML server configuration page. The vulnerability exists due to the lack of measures to neutralize special elements used in the OS command. **Recommendations** For FortiWeb versions 6.3.7 and below, consider disabling the SAML server configuration page until a patch is available. For FortiWeb versions 6.2.3 and below, restrict access to the management interface to minimize the risk of exploitation. For FortiWeb versions 6.1.x, 6.0.x, and 5.9.x, avoid using the SAML server configuration page until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FortiWeb versions 6.3.0 through 6.3.7 FortiWeb versions prior to 6.2.4 **Description** The issue is related to an improper neutralization of input during web page generation in the FortiWeb GUI interface. This may allow an unauthenticated, remote attacker to perform a reflected cross site scripting attack (XSS) by injecting malicious payload in different vulnerable API end-points. **Recommendations** For FortiWeb versions 6.3.0 through 6.3.7, update to a version outside of this range to resolve the issue. For FortiWeb versions prior to 6.2.4, update to version 6.2.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API end-points until a patch is available.

Name of the Vulnerable Software and Affected Versions: FortiWeb versions 6.3.0 through 6.3.5 Description: A format string vulnerability may allow an authenticated, remote attacker to read the content of memory and retrieve sensitive data via the `redir` parameter. Recommendations: For FortiWeb versions 6.3.0 through 6.3.5, consider restricting access to the `redir` parameter until a patch is available. As a temporary workaround, avoid using the `redir` parameter in affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: FortiWeb versions 6.3.0 through 6.3.7 FortiWeb versions prior to 6.2.4 Description: A stack-based buffer overflow issue may allow a remote, unauthenticated attacker to crash the httpd daemon thread by sending a request with a crafted `cookie` header. Recommendations: For FortiWeb versions 6.3.0 through 6.3.7, update to a version outside of this range to resolve the issue. For FortiWeb versions prior to 6.2.4, update to version 6.2.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the httpd daemon thread to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FortiWeb versions 6.3.0 through 6.3.7 FortiWeb versions prior to 6.2.4 FortiWeb versions 6.3.11 and earlier **Description** A blind SQL injection in the user interface of FortiWeb may allow an unauthenticated, remote attacker to execute arbitrary SQL queries or commands by sending a request with a crafted `Authorization` header containing a malicious SQL statement. The vulnerability is related to the lack of protection of the SQL query structure. Rapid7 revealed that this vulnerability grants complete control over the affected device. **Recommendations** For FortiWeb versions 6.3.0 through 6.3.7, consider disabling the `Authorization` header until a patch is available. For FortiWeb versions prior to 6.2.4, restrict access to the user interface to minimize the risk of exploitation. For FortiWeb versions 6.3.11 and earlier, avoid using the `Authorization` header in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: FortiWeb versions 6.3.0 through 6.3.5 FortiWeb versions prior to 6.2.4 Description: A stack-based buffer overflow issue may allow an unauthenticated, remote attacker to overwrite the content of the stack and potentially execute arbitrary code by sending a crafted request with a large `certname`. This could enable the attacker to execute arbitrary code. Recommendations: For FortiWeb versions 6.3.0 through 6.3.5, update to a version outside of this range to resolve the issue. For FortiWeb versions prior to 6.2.4, update to version 6.2.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable function related to the `certname` parameter until a patch is available.

Name of the Vulnerable Software and Affected Versions: Citrix XenMobile Server versions 10.12 before RP2 Citrix XenMobile Server versions 10.11 before RP4 Citrix XenMobile Server versions 10.10 before RP6 Citrix XenMobile Server versions prior to 10.9 RP5 Description: The issue is related to improper access control in Citrix XenMobile Server, which can allow a remote attacker to gain unauthorized access to protected information. This is due to incorrect restriction of the directory path name with limited access. The exploitation of this issue may enable the attacker to read arbitrary files. Recommendations: For Citrix XenMobile Server version 10.12 before RP2, update to RP2 or later to resolve the issue. For Citrix XenMobile Server version 10.11 before RP4, update to RP4 or later to resolve the issue. For Citrix XenMobile Server version 10.10 before RP6, update to RP6 or later to resolve the issue. For Citrix XenMobile Server versions prior to 10.9 RP5, update to 10.9 RP5 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: IBM Maximo Asset Management versions 7.6.0 through 7.6.1 Description: The issue is related to an unsafe deserialization in Java, which could allow a remote authenticated attacker to execute arbitrary code on the system. This can be achieved by sending a specially-crafted request, enabling the attacker to exploit the vulnerability and execute arbitrary code. Recommendations: For IBM Maximo Asset Management versions 7.6.0 and 7.6.1, consider disabling the deserialization mechanism in Java as a temporary workaround until a patch is available. Restrict access to the system to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: IBM Maximo Asset Management versions 7.6.0 through 7.6.1 Description: The issue is related to insufficient validation of incoming requests, which may allow a remote attacker to perform a Server Side Request Forgery (SSRF) attack. This could enable an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. Recommendations: For versions 7.6.0 and 7.6.1, consider restricting access to vulnerable components or functions until a patch is available. As a temporary workaround, disabling the functionality that allows server-side requests may help minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Cisco TelePresence Video Communication Server (VCS) versions prior to X7.2.4 Cisco TelePresence Video Communication Server (VCS) versions X8 prior to X8.1.2 Cisco TelePresence Video Communication Server (VCS) versions X8.2 prior to X8.2.2 Cisco Expressway versions prior to X7.2.4 Cisco Expressway versions X8 prior to X8.1.2 Cisco Expressway versions X8.2 prior to X8.2.2 Cisco TelePresence Conductor versions prior to X2.3.1 Cisco TelePresence Conductor versions XC2.4 prior to XC2.4.1 **Description** The management interface in the affected software allows remote attackers to bypass authentication via crafted login parameters. This is due to deficiencies in the authentication procedure. An attacker can exploit this issue to gain access to the device using a specially formed username. **Recommendations** For Cisco TelePresence Video Communication Server (VCS) versions prior to X7.2.4, update to version X7.2.4 or later. For Cisco TelePresence Video Communication Server (VCS) versions X8 prior to X8.1.2, update to version X8.1.2 or later. For Cisco TelePresence Video Communication Server (VCS) versions X8.2 prior to X8.2.2, update to version X8.2.2 or later. For Cisco Expressway versions prior to X7.2.4, update to version X7.2.4 or later. For Cisco Expressway versions X8 prior to X8.1.2, update to version X8.1.2 or later. For Cisco Expressway versions X8.2 prior to X8.2.2, update to version X8.2.2 or later. For Cisco TelePresence Conductor versions prior to X2.3.1, update to version X2.3.1 or later. For Cisco TelePresence Conductor versions XC2.4 prior to XC2.4.1, update to version XC2.4.1 or later.

**Name of the Vulnerable Software and Affected Versions** Oracle Fusion Middleware version 10.1.3.5 **Description** The issue affects confidentiality and is related to HTTP Request Handling. It involves incorrect handling of a null byte in the path when forwarding a request to another static page or JSP script using functions like `pageContext.forward` or `jsp:forward`. This can disrupt the logic of script processing by global servlets, potentially allowing an attacker to form a request to process a JSP script as SHTML, thereby obtaining the script's source code. On Windows operating systems, in combination with a directory traversal vulnerability, this could lead to the execution of arbitrary commands when a file containing SHTML code is called as an SHTML script. **Recommendations** For Oracle Fusion Middleware version 10.1.3.5, consider restricting access to vulnerable functions like `pageContext.forward` or `jsp:forward` until a patch is available. Additionally, avoid using the `jsp:forward` function to forward requests to static pages or JSP scripts that could be manipulated by an attacker. As a temporary workaround, consider disabling the execution of SHTML scripts to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Siemens WinCC versions 7.0 SP3 through Update 2 **Description** The issue is related to a buffer overflow in the DiagAgent web server, which can be exploited by remote attackers to cause a denial of service, resulting in an agent outage. This can be achieved by sending crafted input to the vulnerable server. **Recommendations** For versions 7.0 SP3 through Update 2, update to a version later than Update 2 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Siemens WinCC version 7.0 SP3 before Update 2 **Description** The issue allows remote authenticated users to read arbitrary files via a crafted parameter in a URL, due to multiple directory traversal vulnerabilities. **Recommendations** For Siemens WinCC version 7.0 SP3 before Update 2, apply Update 2 to resolve the issue. As a temporary workaround, consider restricting access to sensitive files and directories to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Siemens WinCC version 7.0 SP3 before Update 2 **Description** The issue concerns the XPath functionality in web applications, which does not properly handle special characters in parameters. This allows remote authenticated users to read or modify settings via a crafted URL, related to an "XML injection" attack. **Recommendations** For Siemens WinCC version 7.0 SP3 before Update 2, update to a version that includes Update 2 to resolve the issue. As a temporary workaround, consider restricting access to the XPath functionality to minimize the risk of exploitation. Avoid using special characters in parameters for the affected web applications until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Siemens WinCC version 7.0 SP3 before Update 2 **Description** The issue allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a GET request. This can be achieved by including a malicious URL in the request. **Recommendations** For Siemens WinCC version 7.0 SP3 before Update 2, apply Update 2 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Siemens WinCC version 7.0 SP3 before Update 2 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities in unspecified web applications. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via vectors involving special characters in parameters. **Recommendations** For Siemens WinCC version 7.0 SP3 before Update 2, apply Update 2 to resolve the issue.