Jeff Gennari

**Name of the Vulnerable Software and Affected Versions** Apple Mac OS X versions 10.4.8 and earlier **Description** A heap-based buffer overflow issue exists in the Finder component, allowing user-assisted remote attackers to execute arbitrary code. This can be achieved by browsing directories that contain crafted .DS Store files. **Recommendations** For Apple Mac OS X versions 10.4.8 and earlier, update to a version later than 10.4.8 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apple QuickTime Player versions 7.0.3 through 7.0.4 iTunes versions 6.0.1 through 6.0.2 **Description** The issue is related to an integer overflow in the handling of FlashPix (FPX) images. This overflow can be triggered by a specially crafted FPX image that contains a field specifying a large number of blocks, allowing remote attackers to execute arbitrary code. **Recommendations** For Apple QuickTime Player versions 7.0.3 through 7.0.4, consider updating to a newer version to resolve the issue. For iTunes versions 6.0.1 through 6.0.2, consider updating to a newer version to resolve the issue. As a temporary workaround, consider avoiding the use of FlashPix (FPX) images in Apple QuickTime Player and iTunes until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Oracle Diagnostics module version 2.2 and earlier **Description** The issue allows remote attackers to access diagnostics tests via unknown attack vectors. **Recommendations** For Oracle Diagnostics module version 2.2 and earlier, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** WebEOC versions prior to 6.0.2 **Description** The issue allows remote attackers to obtain valid usernames via the HTML source of the WebEOC login webpage. This information could be useful in other attacks, such as locking out valid users via brute force methods. **Recommendations** For versions prior to 6.0.2, update to version 6.0.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Oracle Application Server versions 9.0 up to 9.0.2.1 **Description** The issue concerns an unspecified vulnerability in SQL*ReportWriter. Details about the impact and attack vectors of this issue are not provided. **Recommendations** For Oracle Application Server versions 9.0 up to 9.0.2.1, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Suite and Applications versions 11.5 up to 11.5.10 **Description** The issue affects various components of Oracle E-Business Suite and Applications, including Application Install, Application Object Library, Applications Technology Stack, Applications Utilities, HRMS, Mobile Application Foundation, SDP Number Portability, Oracle Service, Service Fulfillment Manage, Universal Work Queue, and Workflow Cartridge. The impact and attack vectors of these vulnerabilities are unknown. **Recommendations** For Oracle E-Business Suite and Applications versions 11.5 up to 11.5.10, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: WebEOC versions prior to 6.0.2 Description: The issue is related to a weak encryption scheme used for passwords, making it easier for attackers to crack passwords. Recommendations: For versions prior to 6.0.2, update to version 6.0.2 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: WebEOC versions prior to 6.0.2 Description: The issue allows remote attackers to inject arbitrary web script and HTML, potentially leading to cross-site scripting (XSS) attacks. This could enable attackers to execute malicious scripts on the client-side, compromising user sessions and sensitive data. Recommendations: For versions prior to 6.0.2, update to version 6.0.2 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: WebEOC versions prior to 6.0.2 Description: The issue allows remote attackers to obtain sensitive information, including `usernames`, `passwords`, emergency information, medical information, and system configuration, which is stored in locations such as URIs, web pages, and configuration files. Recommendations: For versions prior to 6.0.2, update to version 6.0.2 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: WebEOC versions prior to 6.0.2 Description: The issue allows remote attackers to modify SQL statements, potentially leading to unauthorized data access or modification. The attack vectors for this issue are not specified. Recommendations: For versions prior to 6.0.2, update to version 6.0.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the SQL database to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: WebEOC versions prior to 6.0.2 Description: The issue allows remote authenticated users to cause a denial of service by consuming system and database resources via a large uploaded file, due to improper restriction of the uploaded file size. Recommendations: For versions prior to 6.0.2, update to version 6.0.2 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: WebEOC versions prior to 6.0.2 Description: The issue is related to improper user authorization checks, allowing remote attackers to gain privileges by making a direct request to a resource. Recommendations: For versions prior to 6.0.2, update to version 6.0.2 or later to resolve the issue.