Jesús Antón

**Name of the Vulnerable Software and Affected Versions** Meta4 HR (affected versions not specified) **Description** A vulnerability has been found that allows an attacker to obtain information about the application, including variables set in the process, Tomcat versions, library versions, and the underlying operating system. This is achieved via the HTTP GET endpoint "/sitetest/english/dumpenv.jsp". **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cegid Meta4 HR (affected versions not specified) **Description** The configuration pages in Cegid Meta4 HR are not intended to be placed on an Internet-facing web server, as they expose file paths to the client, who can be an attacker. These pages do not offer product functionality and will be dismissed from future releases. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cegid Meta4 HR (affected versions not specified) **Description** An Unrestricted Upload of File issue allows an attacker to upload malicious files to the server via the "/config/espanol/update password.jsp" file. By modifying the `M4 NEW PASSWORD` parameter, an attacker could store a malicious JSP file inside the file directory, which would be executed when the file is loaded in the application. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.