Hamed Ashraf

**Name of the Vulnerable Software and Affected Versions** IBM Security Guardium versions 11.3 through 11.5 **Description** The issue is related to improper validation of csv file contents, which could allow a remote attacker to execute malicious commands. This is due to the lack of neutralization of elements in the CSV file. **Recommendations** For versions 11.3 through 11.5, consider disabling the import of CSV files until a patch is available to prevent exploitation. Restrict access to the functionality that handles CSV file contents to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IBM Maximo Asset Management versions 7.6.1.1 through 7.6.1.3 IBM Maximo Application Suite versions 8.8 through 8.9 **Description** This issue allows users to embed arbitrary JavaScript code in the Web UI, altering the intended functionality and potentially leading to credentials disclosure within a trusted session. The vulnerability is related to stored cross-site scripting. **Recommendations** For IBM Maximo Asset Management versions 7.6.1.1 through 7.6.1.3, update to a version that includes the fix for this issue. For IBM Maximo Application Suite versions 8.8 through 8.9, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the Web UI to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Oracle Communications Operations Monitor versions 3.4, 4.2, 4.3, 4.4, and 5.0 **Description** The vulnerability exists in the Mediation Engine component of Oracle Communications Operations Monitor due to insufficient input validation. This allows a remote attacker to gain read access, modify, add, or delete data, or cause a partial denial of service using HTTP requests. Successful attacks can result in unauthorized access to some data, as well as the ability to cause a partial denial of service. **Recommendations** For versions 3.4, 4.2, 4.3, 4.4, and 5.0, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Communications Operations Monitor versions 3.4, 4.2, 4.3, 4.4, 5.0 **Description** The issue exists due to insufficient input validation in the Mediation Engine component of Oracle Communications Operations Monitor. This can be exploited by a remote attacker using specially crafted HTTP requests, potentially allowing them to read, modify, add, or delete data, or cause a partial denial of service. The vulnerability may significantly impact additional products beyond Oracle Communications Operations Monitor, enabling unauthorized access to and modification of data, as well as partial denial of service attacks. **Recommendations** For versions 3.4, 4.2, 4.3, 4.4, 5.0, update to a version that includes the fix for this issue to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Communications Operations Monitor versions 3.4, 4.2, 4.3, 4.4, and 5.0 **Description** The issue is due to insufficient input validation in the Mediation Engine component. It allows a high-privileged attacker with network access via HTTP to compromise Oracle Communications Operations Monitor. Successful attacks can result in the takeover of Oracle Communications Operations Monitor. The vulnerability can be exploited using specially crafted HTTP requests. **Recommendations** For versions 3.4, 4.2, 4.3, 4.4, and 5.0, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Communications Operations Monitor versions 3.4, 4.2, 4.3, 4.4, 5.0 **Description** The issue is related to insufficient input validation in the Mediation Engine component. It allows a low-privileged attacker with network access via HTTP to compromise Oracle Communications Operations Monitor. Successful attacks require human interaction and may significantly impact additional products, resulting in unauthorized update, insert, or delete access to some data, as well as unauthorized read access to a subset of data. **Recommendations** For versions 3.4, 4.2, 4.3, 4.4, 5.0, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Communications Operations Monitor versions 3.4, 4.2, 4.3, 4.4, and 5.0 **Description** The issue is related to insufficient input validation in the Mediation Engine component. It allows a low-privileged attacker with network access via HTTP to compromise Oracle Communications Operations Monitor. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products. The attacks can result in unauthorized update, insert, or delete access to some of Oracle Communications Operations Monitor's accessible data, as well as unauthorized read access to a subset of Oracle Communications Operations Monitor's accessible data. **Recommendations** For versions 3.4, 4.2, 4.3, 4.4, and 5.0, consider restricting access to the Mediation Engine component to minimize the risk of exploitation until a patch is available. As a temporary workaround, consider disabling HTTP access to the Oracle Communications Operations Monitor until the issue is resolved. Avoid using specially crafted HTTP requests to the affected component until the vulnerability is fixed. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Communications Operations Monitor versions 3.4, 4.2, 4.3, 4.4, and 5.0 **Description** The issue is related to insufficient input validation in the Mediation Engine component of Oracle Communications Operations Monitor. This allows a low-privileged attacker with network access via HTTP to compromise the system. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products. The exploitation can result in unauthorized update, insert, or delete access to some of the accessible data, as well as unauthorized read access to a subset of the accessible data. **Recommendations** For versions 3.4, 4.2, 4.3, 4.4, and 5.0, consider restricting access to the Mediation Engine component until a patch is available. As a temporary workaround, avoid using specially crafted HTTP requests to minimize the risk of exploitation. Restrict access to sensitive data to prevent unauthorized read, update, insert, or delete access.

**Name of the Vulnerable Software and Affected Versions** Oracle Java SE versions 7u321, 8u311, 11.0.13, 17.0.1 Oracle GraalVM Enterprise Edition versions 20.3.4, 21.3.0 **Description** The issue is related to the JAXP component and involves the execution of a loop with an unreachable exit condition. This can be exploited by an unauthenticated attacker with network access via multiple protocols to cause a partial denial of service. The vulnerability applies to Java deployments that load and run untrusted code and rely on the Java sandbox for security. It can also be exploited through APIs in the specified component, such as through a web service that supplies data to the APIs. **Recommendations** For Oracle Java SE versions 7u321, 8u311, 11.0.13, 17.0.1, update to a version that contains the fix for this issue. For Oracle GraalVM Enterprise Edition versions 20.3.4, 21.3.0, update to a version that contains the fix for this issue. As a temporary workaround, consider restricting access to the JAXP component until a patch is available. Avoid using APIs in the specified component that may be vulnerable to exploitation until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Oracle Communications Operations Monitor versions 3.4, 4.2, 4.3, 4.4, 5.0 **Description** The issue is related to insufficient input validation in the Mediation Engine component of Oracle Communications Operations Monitor. This can be exploited by a low-privileged attacker with network access via HTTP, potentially compromising the system. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products, resulting in unauthorized access to data. **Recommendations** For versions 3.4, 4.2, 4.3, 4.4, 5.0, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PeopleSoft Enterprise CS SA Integration Pack versions 9.0 through 9.2 **Description** The issue is related to insufficient input validation in the Snapshot Integration component of the PeopleSoft Enterprise CS SA Integration Pack product. This allows an unauthenticated attacker with network access via HTTP to compromise the system. Successful attacks can result in unauthorized access to critical data or complete access to all accessible data. **Recommendations** For versions 9.0 and 9.2, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.