George Mathias

**Name of the Vulnerable Software and Affected Versions** Softing TH SCOPE versions prior to 3.71 **Description** The issue allows for cross-site scripting (XSS), which is a type of attack where an attacker can inject malicious scripts into a website, potentially allowing them to steal user data or take control of the user's session. **Recommendations** For versions prior to 3.71, update to a version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** OpenText AppBuilder versions 21.2 through 23.2 **Description** The issue allows an unauthenticated or authenticated user to abuse a page of AppBuilder to read arbitrary files on the server. This is due to improper input validation, making files or directories accessible to external parties. **Recommendations** For versions 21.2 through 23.2, update to version 23.2 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive files and directories on the server until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** OpenText AppBuilder versions 21.2 through 23.2 **Description** The issue is related to improper input validation in the OpenText AppBuilder's Scheduler functionality, which allows authenticated users to inject arbitrary operating system commands into the executing process. This enables OS Command Injection. **Recommendations** For versions 21.2 through 23.2, update to version 23.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the Scheduler functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenText AppBuilder versions 21.2 through 23.2 **Description** The issue is related to an Improper Restriction of XML External Entity Reference vulnerability in OpenText AppBuilder, allowing Server Side Request Forgery and enabling an attacker to probe system files. This is due to the AppBuilder's XML processor being vulnerable to XML External Entity Processing (XXE), which allows an authenticated user to upload specially crafted XML files. These files can induce server-side request forgery and disclose files local to the server that processes them. **Recommendations** For OpenText AppBuilder versions 21.2 through 23.2, update to version 23.2 or later to resolve the issue. As a temporary workaround, consider restricting the upload of XML files or disabling the XML processor until a patch is available. Restrict access to sensitive system files to minimize the risk of exploitation. Avoid using the vulnerable XML processor in the affected AppBuilder versions until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** OpenText AppBuilder versions 21.2 through 23.2 **Description** The issue is related to improper input validation, allowing an authenticated user with database creation or management privileges to exploit the AppBuilder server. This exploitation can lead to access to the server's local file system. **Recommendations** For versions 21.2 through 23.2, update to version 23.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the database creation and management features to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenText AppBuilder versions 21.2 through 23.2 **Description** The issue is related to improper input validation, allowing unauthenticated users to view AppBuilder configuration files. This enables probing of system files. **Recommendations** For versions 21.2 through 23.2, update to version 23.2 or later to resolve the issue. As a temporary workaround, consider restricting access to AppBuilder configuration files until a patch is available.

**Name of the Vulnerable Software and Affected Versions** IBM API Connect V10 **Description** The issue allows an authenticated user to perform actions that they should not have access to. **Recommendations** For IBM API Connect V10, at the moment, there is no information about a newer version that contains a fix for this issue.