Damian Bury

Name of the Vulnerable Software and Affected Versions: Wildfly versions prior to 23.0.2.Final Description: A flaw was found in Wildfly while creating a new role in domain mode via the admin console, allowing a payload to be added in the `name` field, leading to XSS. This affects Confidentiality and Integrity. Recommendations: For versions prior to 23.0.2.Final, update to version 23.0.2.Final or later to resolve the issue. As a temporary workaround, consider restricting access to the admin console to minimize the risk of exploitation. Avoid using the `name` field in the role creation process until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Oracle Financial Services Analytical Applications Infrastructure versions 8.0.6 through 8.1.0 **Description** The issue is related to insufficient input validation in the Rules Framework component. It allows an unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Analytical Applications Infrastructure. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products. This can result in unauthorized update, insert, or delete access to some data, as well as unauthorized read access to a subset of data. **Recommendations** For versions 8.0.6 through 8.1.0, consider restricting access to the Rules Framework component to minimize the risk of exploitation until a patch is available. As a temporary workaround, limit the use of HTTP requests to the affected infrastructure. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Hyperion BI+ version 11.1.2.4 **Description** The issue is related to insufficient input validation in the IQR-Foundation service component of Oracle Hyperion BI+. It allows a high-privileged attacker with network access via multiple protocols to compromise Hyperion BI+, resulting in unauthorized read access to a subset of Hyperion BI+ accessible data. Successful attacks require human interaction from a person other than the attacker. **Recommendations** For version 11.1.2.4, consider restricting access to the IQR-Foundation service component to minimize the risk of exploitation until a patch is available. As a temporary workaround, limit the use of the affected service to reduce the potential impact of the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Hyperion BI+ version 11.1.2.4 **Description** The issue is related to insufficient input validation in the IQR-Foundation service component of Oracle Hyperion BI+. It allows a high-privileged attacker with network access via multiple protocols, including HTTP, to compromise Hyperion BI+. Successful attacks require human interaction from a person other than the attacker and can result in unauthorized access to critical data or complete access to all Hyperion BI+ accessible data. **Recommendations** For version 11.1.2.4, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Oracle Hyperion Financial Close Management version 11.1.2.4 Description: The issue exists due to insufficient input validation in the Close Manager component of Oracle Hyperion Financial Close Management. Exploitation of this issue may allow a remote attacker to modify, add, or delete data. The vulnerability is difficult to exploit and requires high privileges, as well as human interaction from someone other than the attacker. Successful attacks can result in unauthorized access to critical data or all accessible data within Hyperion Financial Close Management. Recommendations: For version 11.1.2.4, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Hyperion Financial Reporting versions 11.1.2.4 **Description** The issue is related to insufficient access control in the Web Based Report Designer component of Oracle Hyperion Financial Reporting. It allows a remote attacker to gain unauthorized access to protected information via the HTTP protocol. The attack requires human interaction from someone other than the attacker and can result in unauthorized read access to a subset of Hyperion Financial Reporting accessible data. **Recommendations** For version 11.1.2.4, consider restricting access to the Web Based Report Designer component to minimize the risk of exploitation until a patch is available. As a temporary workaround, limit the use of the HTTP protocol for accessing sensitive information within the Hyperion Financial Reporting product.

**Name of the Vulnerable Software and Affected Versions** PHP versions 7.2.x through 7.2.29 PHP versions 7.3.x through 7.3.16 PHP versions 7.4.x through 7.4.4 **Description** The issue is related to the `urldecode()` function in PHP, which can be exploited to access memory locations past the allocated buffer due to the erroneous use of signed numbers as array indexes. This can allow a remote attacker to access protected information. The vulnerability is particularly relevant when PHP is compiled with EBCDIC support, although this is an uncommon configuration. **Recommendations** For PHP versions 7.2.x through 7.2.29, update to version 7.2.30 or later. For PHP versions 7.3.x through 7.3.16, update to version 7.3.17 or later. For PHP versions 7.4.x through 7.4.4, update to version 7.4.5 or later.

**Name of the Vulnerable Software and Affected Versions** Oracle Hyperion Financial Management version 11.1.2.4 **Description** The issue is related to insufficient access control in the Security component of Oracle Hyperion Financial Management. It allows a remote attacker to modify, add, or delete data using the HTTP protocol. The exploitation requires high privileges and human interaction from someone other than the attacker, potentially leading to unauthorized access to critical data. **Recommendations** For version 11.1.2.4, consider restricting access to the Security component until a patch is available. As a temporary workaround, limit network access via HTTP to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.