Filip Ceglik

**Name of the Vulnerable Software and Affected Versions** Oracle Financial Services Crime and Compliance Investigation Hub version 20.1.2 **Description** The issue exists due to insufficient input validation in the Reports component of Oracle Financial Services Crime and Compliance Investigation Hub, allowing an attacker to gain access to modify, add, or delete data via the HTTP protocol. Successful attacks require human interaction and can result in unauthorized update, insert, or delete access to some data, as well as unauthorized read access to a subset of data. **Recommendations** For version 20.1.2, consider restricting access to the Reports component until a patch is available. As a temporary workaround, limit logon access to the infrastructure where Oracle Financial Services Crime and Compliance Investigation Hub executes to minimize the risk of exploitation. Avoid using the HTTP protocol for sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Hyperion Lifecycle Management version 11.1.2.4 **Description** The issue is related to insufficient input validation in the Shared Services component. It allows a high-privileged attacker with network access via HTTP to compromise Hyperion Lifecycle Management, but successful attacks require human interaction from a person other than the attacker. This can result in unauthorized creation, deletion, or modification access to critical data or all Hyperion Lifecycle Management accessible data. **Recommendations** For version 11.1.2.4, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Unified Directory versions 11.1.2.3.0, 12.2.1.3.0, 12.2.1.4.0 **Description** The issue is related to insufficient input validation in the Security component of Oracle Unified Directory, part of Oracle Fusion Middleware. It allows a high-privileged attacker with network access via HTTP to compromise Oracle Unified Directory, requiring human interaction from someone other than the attacker. Successful attacks can result in unauthorized access to critical data, including creation, deletion, or modification of data, as well as the ability to cause a hang or crash of Oracle Unified Directory. **Recommendations** For versions 11.1.2.3.0, 12.2.1.3.0, and 12.2.1.4.0, consider restricting access to the HTTP protocol until a fix is available. As a temporary workaround, consider disabling the `Security` component until a patch is available. Restrict access to sensitive data to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Hyperion BI+ version 11.1.2.4 **Description** The issue is related to insufficient input validation in the UI & Visualization component of Oracle Hyperion BI+. This can be exploited by a remote attacker to gain unauthorized access to protected information using the HTTP protocol. The exploitation is considered difficult and requires human interaction from someone other than the attacker, as well as high privileges and network access. Successful attacks can result in unauthorized access to critical data. **Recommendations** For version 11.1.2.4, consider restricting access to the UI & Visualization component until a fix is available. As a temporary workaround, limit the use of HTTP protocol for sensitive operations. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Apache NetBeans versions up to and including 11.2 Description: The issue is related to the Apache NetBeans autoupdate system, which does not validate SSL certificates and hostnames for https-based downloads. This allows an attacker to intercept downloads of autoupdates and modify the download, potentially injecting malicious code. The vulnerability may impact the confidentiality and integrity of protected information. Recommendations: For Apache NetBeans versions up to and including 11.2, consider disabling the autoupdate feature until a patch is available to prevent potential exploitation. Restrict access to the autoupdate system to minimize the risk of malicious code injection. Avoid using the autoupdate system for https-based downloads until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.