Egor Karbutov

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 10.3.3 Apple Safari versions prior to 10.1.2 Apple tvOS versions prior to 10.2.2 **Description** A DOMParser XSS issue was discovered in certain Apple products, involving the WebKit component. **Recommendations** For iOS versions prior to 10.3.3, update to version 10.3.3 or later. For Safari versions prior to 10.1.2, update to version 10.1.2 or later. For tvOS versions prior to 10.2.2, update to version 10.2.2 or later.

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Suite versions 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, 12.2.4 **Description** The issue affects the confidentiality and integrity of the system, potentially allowing remote authenticated users to execute arbitrary SQL commands via a request involving the `afamexts.sql` SQL extension. This could enable unauthorized updates, insertions, deletions of data, as well as unauthorized access to read data in Oracle Applications Manager. The exact nature of the vulnerability is related to errors in the code and is possibly a SQL injection vulnerability, although Oracle has not confirmed this. **Recommendations** For versions 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, 12.2.4, consider restricting access to the `afamexts.sql` SQL extension to minimize the risk of exploitation until a patch is available. As a temporary workaround, consider disabling the SQL Extensions feature in the Oracle Applications Manager component until a patch is available. Avoid using the `afamexts.sql` SQL extension in requests until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Suite versions 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, 12.2.4 **Description** The issue is related to errors in the code of the Oracle Application Object Library component, allowing remote attackers to affect confidentiality. It is also claimed that this issue may allow remote attackers to enumerate database users via a series of requests to `Aoljtest.js`. The vulnerability is related to Java APIs - AOL/J. **Recommendations** For versions 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, and 12.2.4, consider restricting access to the Oracle Application Object Library component until a patch is available. As a temporary workaround, consider disabling requests to `Aoljtest.js` to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.