Francesco Giordano

**Name of the Vulnerable Software and Affected Versions** Oracle GlassFish Server versions 3.1.2.18 and below **Description** The issue allows a malicious user to cause an administrator user to supply dangerous content to the vulnerable page, which is then reflected back to the user and executed by the web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to victims. This issue only affects products that are no longer supported by the maintainer. **Recommendations** For Oracle GlassFish Server versions 3.1.2.18 and below, consider disabling access to the /common/logViewer/logViewer.jsf page as a temporary workaround until a solution is determined, noting that these versions are no longer supported. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Wowza Streaming Engine versions prior to 4.8.8.01 **Description** The issue concerns cleartext passwords stored in the conf/admin.password file in a default installation. A regular local user can read usernames and passwords. **Recommendations** For versions prior to 4.8.8.01, update to version 4.8.8.01 or later to resolve the issue. As a temporary workaround, consider restricting access to the conf/admin.password file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Wowza Streaming Engine versions through 4.8.5 **Description** The issue concerns incorrect file permissions of configuration files in the conf/ directory. A regular local user can read and write to all the configuration files, allowing them to modify the application server configuration. **Recommendations** For Wowza Streaming Engine versions through 4.8.5, update the file permissions of the configuration files in the conf/ directory to restrict access to authorized users only. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Wowza Streaming Engine versions prior to 4.8.5 **Description** The issue allows an authenticated user with access to proxy license editing to insert a malicious payload that will be triggered in the main page of server settings. This is a case of XSS. The issue was resolved in Wowza Streaming Engine 4.8.5. **Recommendations** For versions prior to 4.8.5, update to Wowza Streaming Engine 4.8.5 to resolve the issue. As a temporary workaround, consider restricting access to the proxy license editing feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Cisco Adaptive Security Appliance (ASA) (affected versions not specified) **Description** The issue is related to the smart tunnel functionality of Cisco Adaptive Security Appliance (ASA) and is associated with insufficient access control. It could allow an authenticated, local attacker to elevate privileges to the root user or load a malicious library file while the tunnel is being established. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.