Filipe Bernardo

Name of the Vulnerable Software and Affected Versions: HPE Storage Essentials version 9.5.0.142 Description: The issue involves Unauthenticated Java Deserialization, allowing remote code execution via OS commands in a request to the "invoker/JMXInvokerServlet" endpoint. This enables an attacker to execute commands remotely without authentication. Recommendations: For HPE Storage Essentials version 9.5.0.142, consider restricting access to the "invoker/JMXInvokerServlet" endpoint until a patch is available. As a temporary workaround, disabling the Java Deserialization functionality for this endpoint can help minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** VASCO DIGIPASS authentication plug-in for Citrix Web Interface (affected versions not specified) **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the `failmessage` parameter in the sample feedback.inc file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.