Carlos Sarraute

**Name of the Vulnerable Software and Affected Versions** IBM WebSphere Application Server versions 7.0.0.13 and earlier **Description** The issue concerns multiple cross-site request forgery (CSRF) vulnerabilities in the Integrated Solutions Console of IBM WebSphere Application Server. These vulnerabilities allow remote attackers to hijack the authentication of administrators for requests, specifically those that disable certain security options. This can be achieved via an Edit action to "console/adminSecurityDetail.do" followed by a save action to "console/syncworkspace.do". **Recommendations** For IBM WebSphere Application Server versions 7.0.0.13 and earlier, consider disabling access to the "console/adminSecurityDetail.do" and "console/syncworkspace.do" endpoints until a fix is available. Restrict the use of the administrative console to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Windows 2000 (affected versions not specified) **Description** A issue in the Local Security Authority Subsystem Service (LSASS) in Windows 2000 domain controllers allows remote attackers to cause a denial of service via a crafted LDAP message. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: RealOne Player versions 6.0.11.x and earlier RealPlayer 8/RealPlayer Plus 8 version 6.0.9.584 Description: The issue concerns the PNG deflate algorithm, which allows remote attackers to corrupt the heap and overwrite arbitrary memory. This is achieved through a PNG graphic file format containing compressed data using fixed trees that contain the length values 286-287, treated as a very large length. Recommendations: For RealOne Player versions 6.0.11.x and earlier, update to a version later than 6.0.11.x to resolve the issue. For RealPlayer 8/RealPlayer Plus 8 version 6.0.9.584, update to a version later than 6.0.9.584 to resolve the issue.