Dominique Righetto

**Name of the Vulnerable Software and Affected Versions** OpenConcerto version 1.7.5 **Description** Plaintext storage of a password allows the retrieval of embedded sensitive data. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** jOpenDocument version 1.5 **Description** Improper restriction of XML external entity reference in ILM Informatique jOpenDocument allows Data Serialization External Entities Blowup. This occurs when the application fails to properly restrict XML external entities, which are references to external files or resources within an XML document. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenConcerto version 1.7.5 **Description** Incorrect permission assignment for a critical resource allows the replacement of binaries. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ObjectPlanet Opinio versions 7.26 rev12562 **Description** A flaw exists in the survey-import feature that allows an attacker to force the server to make HTTP GET requests to an arbitrary destination through crafted import requests. This is a Blind Server-Side Request Forgery (SSRF) issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ObjectPlanet Opinio versions 7.26 rev12562 **Description** A stored Cross-Site Scripting (XSS) issue exists in the survey-import feature of the web application. This allows an attacker to inject arbitrary JavaScript code that will execute within the browsing context of visitors accessing a compromised survey. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ObjectPlanet Opinio version 7.26 rev12562 **Description** A Cross-Site Request Forgery (CSRF) issue exists in the resource-management feature. This allows an attacker to upload files on behalf of connected users and then access those files without authentication. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PeopleSoft Enterprise HCM Talent Acquisition Manager version 9.2 **Description** The issue allows a low-privileged attacker with network access via HTTP to compromise the system. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products. Attacks can result in unauthorized update, insert, or delete access to some accessible data, as well as unauthorized read access to a subset of accessible data. **Recommendations** For version 9.2, update to a version that includes a fix for this issue, as the current version is affected and allows for unauthorized data access. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apiris Kafeo version 6.4.4 **Description** An issue was discovered that permits a bypass of the protection in place, allowing access to the data stored in the embedded database file. **Recommendations** For Apiris Kafeo version 6.4.4, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Apiris Kafeo version 6.4.4 **Description** An issue in Apiris Kafeo permits DLL hijacking, allowing a user to trigger the execution of arbitrary code every time the product is executed. **Recommendations** For Apiris Kafeo version 6.4.4, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** EMS SQL Manager version 3.6.2 (build 55333) for Oracle **Description** The issue allows DLL hijacking, enabling a user to trigger the execution of arbitrary code every time the product is executed. **Recommendations** For EMS SQL Manager version 3.6.2 (build 55333) for Oracle, as a temporary workaround, consider restricting access to the product until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Regify Regipay Client for Windows version 4.5.1.0 **Description** An issue was discovered in Regify Regipay Client for Windows that allows DLL hijacking, enabling a user to trigger the execution of arbitrary code every time the product is executed. This issue can lead to the execution of malicious code, potentially compromising the system. **Recommendations** For Regify Regipay Client for Windows version 4.5.1.0, consider disabling the execution of the product until a patch is available to prevent the exploitation of this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Interact version 7.9.79.5 **Description** The issue allows stored Cross-site Scripting (XSS) attacks in several locations, enabling an attacker to store a JavaScript payload. This can lead to the execution of malicious scripts on the client-side. **Recommendations** For Interact version 7.9.79.5, update to a version that includes a fix for this issue, as no specific workaround is provided for this version. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Independentsoft JWord versions prior to 1.1.110 **Description** An issue was discovered in the API, which is prone to XML external entity (XXE) injection via a remote DTD in a DOCX file. This occurs when processing a DOCX file containing a malicious DTD. **Recommendations** For versions prior to 1.1.110, update to version 1.1.110 or later to resolve the issue. As a temporary workaround, consider restricting the processing of DOCX files from untrusted sources to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Independentsoft JSpreadsheet versions prior to 1.1.110 **Description** An issue was discovered in the API, which is prone to XML external entity (XXE) injection via a remote DTD in a DOCX file. **Recommendations** For versions prior to 1.1.110, update to version 1.1.110 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Independentsoft JODF versions prior to 1.1.110 **Description** An issue was discovered in the API, which is prone to XML external entity (XXE) injection via a remote DTD in a DOCX file. This allows for potential exploitation. **Recommendations** For versions prior to 1.1.110, update to version 1.1.110 or later to resolve the issue. As a temporary workaround, consider restricting the processing of DOCX files from untrusted sources to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Archibus Web Central version 2022.03.01.107 **Description** The issue is related to a service exposed by the application that accepts a user-controlled parameter used to create an SQL query, making it prone to SQL injection. No information is provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** For Archibus Web Central version 2022.03.01.107, consider restricting access to the vulnerable service to minimize the risk of exploitation. As a temporary workaround, avoid using user-controlled parameters in SQL queries until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Archibus Web Central version 2022.03.01.107 **Description** An issue was discovered in the application where a service exposed allows a basic user to access the profile information of all connected users. **Recommendations** For Archibus Web Central version 2022.03.01.107, consider restricting access to the exposed service to prevent basic users from accessing profile information of all connected users. As a temporary workaround, restrict the service's functionality until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Archibus Web Central version 2022.03.01.107 **Description** An issue was discovered in the application where a service allows a basic user to cancel or delete a booking created by someone else, even if the basic user is not a member of the booking. **Recommendations** For Archibus Web Central version 2022.03.01.107, consider restricting access to the booking cancellation service to prevent unauthorized deletion of bookings. As a temporary workaround, consider disabling the booking cancellation feature for basic users until a patch is available. Restrict basic users from accessing the booking service to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Archibus Web Central version 2022.03.01.107 **Description** An issue was discovered in the application where a service accepts user-controlled parameters to act on the data returned to the user. This allows a basic user to access data unrelated to their role. **Recommendations** For Archibus Web Central version 2022.03.01.107, consider restricting access to the service that accepts user-controlled parameters until a patch is available. As a temporary workaround, limit the data that can be accessed by basic users to only what is necessary for their role. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Incapptic Connect versions prior to 1.40.1 **Description** A non-admin user with user management permission can escalate their privilege to an admin user via the password reset functionality. **Recommendations** For versions prior to 1.40.1, update to version 1.40.1 or later to resolve the issue. As a temporary workaround, consider restricting the user management permission to prevent non-admin users from exploiting the password reset functionality.