Jakub Sajniak

**Name of the Vulnerable Software and Affected Versions** Cisco ISE (affected versions not specified) **Description** A vulnerability in the web-based management interface of Cisco ISE could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This issue exists due to insufficient validation of user-supplied input. An attacker could exploit this by persuading a user to click a crafted link, potentially allowing the execution of arbitrary script code in the context of the affected interface or access to sensitive browser-based information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco TelePresence Management Suite (TMS) Software (affected versions not specified) **Description** A vulnerability in the web-based management interface could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This issue is due to insufficient input validation by the web-based management interface. An attacker could exploit this by inserting malicious data in a specific data field in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco TelePresence Management Suite (affected versions not specified) **Description** The issue exists due to insufficient input validation by the web-based management interface, allowing an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack. This could enable the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. The attacker could exploit this by inserting malicious data in a specific data field in the interface. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) (affected versions not specified) **Description** A vulnerability in the web-based management interface could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. This vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by authenticating to the application as a user with read-only or higher privileges and sending crafted HTTP requests to an affected system. A successful exploit could allow the attacker to read or modify data in the underlying database or elevate their privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Enterprise Manager Base Platform version 13.4.0.0 **Description** The issue is related to insufficient input validation in the UI Framework component. It allows an unauthenticated attacker with network access via HTTP to compromise the Enterprise Manager Base Platform. Successful attacks require human interaction and may significantly impact additional products. The attacks can result in unauthorized update, insert, or delete access to some accessible data, as well as unauthorized read access to a subset of accessible data. **Recommendations** For version 13.4.0.0, consider restricting access to the UI Framework component until a patch is available. As a temporary workaround, limit the use of HTTP requests to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Advanced Supply Chain Planning versions 12.1 through 12.2 **Description** The issue is related to insufficient input validation in the Core component of Oracle Advanced Supply Chain Planning, allowing an unauthenticated attacker with network access via HTTP to compromise the system. Successful attacks can result in unauthorized creation, deletion, or modification access to critical data, as well as unauthorized access to all accessible data. **Recommendations** For versions 12.1 and 12.2, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.