Bing Liu

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 12.2.1.3.0 through 12.2.1.4.0 Oracle WebLogic Server version 14.1.1.0.0 **Description** The issue is related to insufficient input validation in the Core component of Oracle WebLogic Server, allowing an unauthenticated attacker with network access via T3, IIOP to compromise the server. Successful attacks can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. It is estimated that millions of servers worldwide are affected, with 166,000 in Brazil alone. **Recommendations** For Oracle WebLogic Server versions 12.2.1.3.0 through 12.2.1.4.0, update to a version that includes the fix released by Oracle on January 24. For Oracle WebLogic Server version 14.1.1.0.0, update to a version that includes the fix released by Oracle on January 24. As a temporary workaround, consider restricting access to the T3 and IIOP protocols to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 12.2.1.3.0 through 12.2.1.4.0 Oracle WebLogic Server version 14.1.1.0.0 **Description** The issue is related to insufficient input validation in the Core component of Oracle WebLogic Server, part of the Oracle Fusion Middleware platform. This can be exploited by a remote attacker to disclose sensitive information. Successful attacks can result in unauthorized access to critical data or complete access to all accessible data on the Oracle WebLogic Server. The vulnerability can be easily exploited by an unauthenticated attacker with network access via IIOP. **Recommendations** For Oracle WebLogic Server versions 12.2.1.3.0 and 12.2.1.4.0, update to a version that includes the fix for this issue. For Oracle WebLogic Server version 14.1.1.0.0, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting network access via IIOP to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers (affected versions not specified) **Description** A vulnerability in the web-based management interface could allow an authenticated, remote attacker to execute arbitrary code or cause the web-based management process on the device to restart unexpectedly, resulting in a denial of service (DoS) condition. The attacker must have valid administrator credentials. This issue is due to insufficient validation of user-supplied input to the web-based management interface. An attacker could exploit this by sending crafted HTTP input to an affected device, potentially allowing the execution of arbitrary code as the root user on the underlying operating system or causing the web-based management process to restart. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** vRealize Operations versions (affected versions not specified) **Description** The issue is related to a broken access control vulnerability in the VMware vRealize Operations tool, which can lead to information disclosure. This vulnerability may allow a remote attacker to disclose protected information. The severity of this issue is considered moderate. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** vRealize Operations (vROps) (affected versions not specified) **Description** The issue is related to improper privilege management in vRealize Operations, which can lead to a privilege escalation. This allows a remote attacker to potentially elevate their privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Excel versions 2002 SP3, 2003 SP3, 2007 SP2 Office 2004 and 2008 for Mac Open XML File Format Converter for Mac Excel Viewer version SP2 Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats version SP2 **Description** A remote code execution issue exists due to improper validation of record structures during the parsing of Excel spreadsheets, allowing remote attackers to execute arbitrary code via a crafted spreadsheet. This could enable an attacker to take complete control of an affected system, potentially leading to the installation of programs, viewing, changing, or deleting data, or creating new accounts with full user rights. **Recommendations** For Microsoft Excel versions 2002 SP3, 2003 SP3, and 2007 SP2, update to a version that properly validates record structures during parsing of Excel spreadsheets. For Office 2004 and 2008 for Mac, update to a version that properly validates record structures during parsing of Excel spreadsheets. For Open XML File Format Converter for Mac, update to a version that properly validates record structures during parsing of Excel spreadsheets. For Excel Viewer version SP2, update to a version that properly validates record structures during parsing of Excel spreadsheets. For Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats version SP2, update to a version that properly validates record structures during parsing of Excel spreadsheets.

**Name of the Vulnerable Software and Affected Versions** Microsoft Office Excel (affected versions not specified) **Description** A remote code execution issue exists in the way Microsoft Office Excel handles specially crafted Excel files. This could allow an attacker to take complete control of an affected system, enabling them to install programs, view, change, or delete data, or create new accounts with full user rights. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Office Visio versions 2002 SP2, 2003 SP3, 2007 SP1, and 2007 SP2 **Description** A remote code execution issue exists due to improper calculation of indexes associated with Visio files. This allows attackers to execute arbitrary code via a crafted file. An attacker who successfully exploits this issue could take complete control of an affected system, enabling them to install programs, view, change, or delete data, or create new accounts with full user rights. Users with fewer user rights on the system could be less affected than those operating with administrative user rights. **Recommendations** For Microsoft Office Visio 2002 SP2, update to a version that properly calculates indexes to prevent remote code execution. For Microsoft Office Visio 2003 SP3, update to a version that properly calculates indexes to prevent remote code execution. For Microsoft Office Visio 2007 SP1 and SP2, update to a version that properly calculates indexes to prevent remote code execution.

**Name of the Vulnerable Software and Affected Versions** Microsoft Office Visio versions 2002 SP2, 2003 SP3, 2007 SP1, 2007 SP2 **Description** A remote code execution issue exists due to improper validation of attributes in Visio files. This allows attackers to execute arbitrary code via a crafted file. An attacker who successfully exploits this issue could take complete control of an affected system, enabling them to install programs, view, change, or delete data, or create new accounts with full user rights. The impact may be less severe for users with limited user rights compared to those operating with administrative rights. **Recommendations** For Microsoft Office Visio 2002 SP2, update to a version that properly validates attributes in Visio files. For Microsoft Office Visio 2003 SP3, update to a version that properly validates attributes in Visio files. For Microsoft Office Visio 2007 SP1, update to a version that properly validates attributes in Visio files. For Microsoft Office Visio 2007 SP2, update to a version that properly validates attributes in Visio files.

**Name of the Vulnerable Software and Affected Versions** Adobe Flash Player versions prior to 10.0.42.34 Adobe AIR versions prior to 1.5.3 **Description** The issue allows remote attackers to obtain the names of local files via unknown vectors. This is due to an incomplete fix for a previous issue. **Recommendations** For Adobe Flash Player versions prior to 10.0.42.34, update to version 10.0.42.34 or later. For Adobe AIR versions prior to 1.5.3, update to version 1.5.3 or later.

**Name of the Vulnerable Software and Affected Versions** Microsoft Project versions 2000 SR1 through 2002 SP1 Microsoft Office Project version 2003 SP3 **Description** A remote code execution issue exists due to improper handling of memory allocation for Project files, allowing attackers to execute arbitrary code via a malformed file. This could enable an attacker to take complete control of an affected system, install programs, view, change, or delete data, or create new accounts with full user rights. **Recommendations** For Microsoft Project versions 2000 SR1 through 2002 SP1, update to a version that properly handles memory allocation for Project files to prevent exploitation. For Microsoft Office Project version 2003 SP3, update to a version that properly handles memory allocation for Project files to prevent exploitation. As a temporary workaround, consider avoiding the use of specially crafted Project files until a patch is available.

Name of the Vulnerable Software and Affected Versions: Microsoft Office Excel versions 2002 SP3, 2003 SP3, 2007 SP1 and SP2 Office 2004 and 2008 for Mac Open XML File Format Converter for Mac Office Excel Viewer versions 2003 SP3, SP1 and SP2 Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats versions SP1 and SP2 Description: A remote code execution issue exists due to improper parsing of the Excel file format, allowing attackers to execute arbitrary code via a spreadsheet with a malformed record object. This could enable an attacker to take complete control of an affected system, install programs, view, change, or delete data, or create new accounts with full user rights. Recommendations: For Microsoft Office Excel 2002 SP3, update to a version that properly parses the Excel file format to prevent remote code execution. For Microsoft Office Excel 2003 SP3, update to a version that properly parses the Excel file format to prevent remote code execution. For Microsoft Office Excel 2007 SP1 and SP2, update to a version that properly parses the Excel file format to prevent remote code execution. For Office 2004 and 2008 for Mac, update to a version that properly parses the Excel file format to prevent remote code execution. For Open XML File Format Converter for Mac, update to a version that properly parses the Excel file format to prevent remote code execution. For Office Excel Viewer 2003 SP3, update to a version that properly parses the Excel file format to prevent remote code execution. For Office Excel Viewer SP1 and SP2, update to a version that properly parses the Excel file format to prevent remote code execution. For Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2, update to a version that properly parses the Excel file format to prevent remote code execution.

Name of the Vulnerable Software and Affected Versions: Microsoft Office Excel versions 2002 SP3 through 2003 SP3 Office Excel Viewer version 2003 SP3 Description: A remote code execution issue exists due to improper parsing of the Excel file format, allowing attackers to execute arbitrary code via a spreadsheet with a malformed record object. This could enable an attacker to take complete control of an affected system, install programs, view, change, or delete data, or create new accounts with full user rights. Recommendations: For Microsoft Office Excel versions 2002 SP3 through 2003 SP3, update to a newer version to mitigate the risk. For Office Excel Viewer version 2003 SP3, update to a newer version to mitigate the risk. As a temporary workaround, consider avoiding the use of specially crafted Excel files that include a malformed record object until a patch is available.

Name of the Vulnerable Software and Affected Versions: Microsoft Office Excel 2002 SP3 and 2003 SP3 Office 2004 and 2008 for Mac Open XML File Format Converter for Mac Office Excel Viewer 2003 SP3 Description: A remote code execution issue exists in the way Microsoft Office Excel handles specially crafted Excel files, allowing attackers to execute arbitrary code via a crafted spreadsheet. This could enable an attacker to take complete control of an affected system, install programs, view, change, or delete data, or create new accounts with full user rights. Recommendations: For Microsoft Office Excel 2002 SP3, update to a version that properly parses the Excel file format to prevent arbitrary code execution. For Microsoft Office Excel 2003 SP3, update to a version that properly handles specially crafted Excel files. For Office 2004 and 2008 for Mac, update to a version that correctly parses the Excel file format. For Open XML File Format Converter for Mac, update to a version that properly handles Excel files. For Office Excel Viewer 2003 SP3, update to a version that correctly handles specially crafted Excel files.

**Name of the Vulnerable Software and Affected Versions** Microsoft Office Excel versions 2000 SP3 through 2003 SP3 Microsoft Office Excel versions 2007 SP1 through SP2 Microsoft Office Excel Viewer version 2003 SP3 Microsoft Office Excel Viewer (affected versions not specified) Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats versions SP1 through SP2 Open XML File Format Converter for Mac (affected versions not specified) Microsoft Office for Mac versions 2004 through 2008 **Description** A remote code execution issue exists in Microsoft Office Excel, allowing attackers to execute arbitrary code via a crafted Excel file with a malformed record object. This could enable an attacker to take complete control of an affected system, install programs, view, change, or delete data, or create new accounts with full user rights. **Recommendations** For Microsoft Office Excel versions 2000 SP3 through 2003 SP3, update to a newer version to mitigate the risk. For Microsoft Office Excel versions 2007 SP1 through SP2, update to a newer version to mitigate the risk. For Microsoft Office Excel Viewer version 2003 SP3, update to a newer version to mitigate the risk. For Microsoft Office Excel Viewer, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats versions SP1 through SP2, update to a newer version to mitigate the risk. For Open XML File Format Converter for Mac, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For Microsoft Office for Mac versions 2004 through 2008, update to a newer version to mitigate the risk.

**Name of the Vulnerable Software and Affected Versions** Microsoft Office Excel versions in Microsoft Office 2000 SP3, Office XP SP3, Office 2003 SP3 Microsoft Office Excel versions in Office 2004 and 2008 for Mac Open XML File Format Converter for Mac Microsoft Office Excel Viewer 2003 SP3 **Description** A remote code execution issue exists in Microsoft Office Excel, allowing attackers to execute arbitrary code via a crafted Excel file with a malformed record object. This could enable an attacker to take complete control of an affected system, install programs, view, change, or delete data, or create new accounts with full user rights. **Recommendations** For Microsoft Office Excel versions in Microsoft Office 2000 SP3, update to a newer version to mitigate the risk. For Microsoft Office Excel versions in Office XP SP3, update to a newer version to mitigate the risk. For Microsoft Office Excel versions in Office 2003 SP3, update to a newer version to mitigate the risk. For Microsoft Office Excel versions in Office 2004 and 2008 for Mac, update to a newer version to mitigate the risk. For Open XML File Format Converter for Mac, update to a newer version to mitigate the risk. For Microsoft Office Excel Viewer 2003 SP3, update to a newer version to mitigate the risk.

**Name of the Vulnerable Software and Affected Versions** Microsoft Office Visio versions 2002 SP2, 2003 SP3, and 2007 SP1 **Description** A remote code execution issue exists due to improper memory copy operations for object data. This allows attackers to execute arbitrary code via a crafted Visio document. An attacker could exploit this by sending a malformed file, which could be included as an e-mail attachment or hosted on a specially crafted Web site. If successfully exploited, an attacker could take complete control of an affected system, install programs, view, change, or delete data, or create new accounts with full user rights. The impact is more significant for users with administrative user rights. **Recommendations** For Microsoft Office Visio 2002 SP2, update to a version that includes the fix for this issue. For Microsoft Office Visio 2003 SP3, update to a version that includes the fix for this issue. For Microsoft Office Visio 2007 SP1, update to a version that includes the fix for this issue. As a temporary workaround, consider avoiding the use of crafted Visio documents until a patch is available. Restrict access to Visio documents from untrusted sources to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Microsoft Office Visio versions 2002 SP2 through 2003 SP3 **Description** A remote code execution issue exists due to improper memory validation when handling Visio files. This could allow an attacker to execute arbitrary code by sending a specially crafted file, potentially via email or a compromised website. If successfully exploited, an attacker could gain complete control of the affected system, enabling them to install programs, view, change, or delete data, or create new accounts with full user rights. The impact may be less severe for users with limited system privileges. **Recommendations** For Microsoft Office Visio versions 2002 SP2 through 2003 SP3, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Office Visio versions 2002 SP2, 2003 SP3, and 2007 SP1 **Description** A remote code execution issue exists due to improper validation of object data in Visio files. This allows attackers to execute arbitrary code via a crafted file. An attacker could exploit this by sending a specially crafted file, which could be included as an e-mail attachment or hosted on a specially crafted or compromised web site. If successfully exploited, an attacker could take complete control of an affected system, allowing them to install programs, view, change, or delete data, or create new accounts with full user rights. The impact is reduced for users with fewer user rights on the system compared to those operating with administrative user rights. **Recommendations** For Microsoft Office Visio 2002 SP2, consider applying the necessary patch to fix the memory validation issue. For Microsoft Office Visio 2003 SP3, apply the patch that addresses the object data validation vulnerability. For Microsoft Office Visio 2007 SP1, update to a version that includes the fix for the remote code execution vulnerability.