Elin Kai

**Name of the Vulnerable Software and Affected Versions** Apache Syncope versions 3.0 through 3.0.16 Apache Syncope versions 4.0 through 4.0.5 Apache Syncope version 4.1.0 **Description** An administrator with adequate entitlements for Derived Schemas can create a malicious JEXL (Java Expression Language) expression. This allows any administrator with sufficient entitlements for User read to access security-sensitive information related to users. **Recommendations** For versions 3.0 through 3.0.16, 4.0 through 4.0.5, and 4.1.0, upgrade to version 4.0.6 or 4.1.1.

**Name of the Vulnerable Software and Affected Versions** Apache HertzBeat versions prior to 1.6.1 **Description** This issue is related to the deserialization of untrusted data, which can only be exploited by authorized attackers. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited. **Recommendations** For Apache HertzBeat versions prior to 1.6.1, users are recommended to upgrade to version 1.6.1, which fixes the issue.