Giovanni Delvecchio

**Name of the Vulnerable Software and Affected Versions** AVEVA InTouch Access Anywhere (affected versions not specified) Plant SCADA Access Anywhere (affected versions not specified) **Description** The issue is related to the disclosure of information in an error data area, which can be exploited by a remote attacker to execute arbitrary OS commands. When the Windows OS language bar functionality is enabled, it can be manipulated to launch an OS command prompt, resulting in a context-escape from the application into the OS. This can occur when the language bar UI is viewable in the browser alongside the AVEVA InTouch Access Anywhere and Plant SCADA Access Anywhere applications. **Recommendations** As a temporary workaround, consider disabling the Windows OS language bar functionality until a patch is available. Restrict access to the OS command prompt to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Fusion Middleware MapViewer version 12.2.1.3.0 **Description** The issue is related to insufficient access control in the Tile Server component of Oracle Fusion Middleware MapViewer. This allows a remote attacker to modify, add, or delete data using the HTTP protocol. Successful exploitation can result in unauthorized access to critical data, including creation, deletion, or modification of data, as well as unauthorized read access to a subset of data. **Recommendations** For version 12.2.1.3.0, consider restricting access to the Tile Server component until a patch is available. As a temporary workaround, limit network access via HTTP to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Fusion Middleware MapViewer versions 12.2.1.3.0 through 12.2.1.4.0 **Description** The issue is related to the Oracle Fusion Middleware MapViewer product, specifically the Tile Server component. It allows an unauthenticated attacker with network access via HTTP to compromise Oracle Fusion Middleware MapViewer. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products. The attacks can result in unauthorized update, insert, or delete access to some of Oracle Fusion Middleware MapViewer's accessible data, as well as unauthorized read access to a subset of Oracle Fusion Middleware MapViewer's accessible data. **Recommendations** For versions 12.2.1.3.0 and 12.2.1.4.0, consider restricting access to the Tile Server component until a patch is available. As a temporary workaround, consider disabling the HTTP access to the Oracle Fusion Middleware MapViewer product until a fix is provided. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Toshiba Bluetooth Stack for Windows versions prior to 9.10.32(T) Toshiba Service Station versions prior to 2.2.14 **Description** The issue allows local users to gain privileges via a Trojan horse application with a name composed of an initial substring of a path that contains a space character. This is due to an unquoted Windows search path vulnerability. **Recommendations** For Toshiba Bluetooth Stack for Windows versions prior to 9.10.32(T), update to version 9.10.32(T) or later. For Toshiba Service Station versions prior to 2.2.14, update to version 2.2.14 or later.

Name of the Vulnerable Software and Affected Versions: Skype versions 1.1.0.20 and earlier Description: The issue allows local users to overwrite arbitrary files via a symlink attack on the `skype profile.jpg` temporary file. Recommendations: For Skype versions 1.1.0.20 and earlier, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Wine versions 20050211 and earlier **Description** The issue allows local users to obtain sensitive information, such as passwords, due to the creation of temp files with world-readable permissions and predictable file names. **Recommendations** For Wine versions 20050211 and earlier, consider restricting access to temporary files created by the application to minimize the risk of sensitive information disclosure.