Julien Oury–Nogues

**Name of the Vulnerable Software and Affected Versions** Halvotec RaQuest versions prior to 24.2020.20608.0 **Description** An issue was discovered in the login page of the admin application, which is vulnerable to an Open Redirect attack. This allows an attacker to redirect a user to a malicious site after authentication. The attacker needs to be on the same network to modify the victim's request on the wire. **Recommendations** For versions prior to 24.2020.20608.0, update to Release 24.2020.20608.0 to resolve the issue. As a temporary workaround, consider restricting access to the admin application's login page to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Halvotec RaQuest versions prior to 10.24.11206.1 **Description** An issue was discovered that allows an anonymous user to access the list of connected users as well as the session cookie for each user through one of the exposed web services. **Recommendations** For versions prior to 10.24.11206.1, update to Release 10.24.11206.1 to resolve the issue. As a temporary workaround, consider restricting access to the exposed web services until the update is applied.

**Name of the Vulnerable Software and Affected Versions** WSO2 API Manager version 2.6.0 **Description** An issue was discovered that allows a logged-in user to upload any type of file as API documentation by changing the file extension to an allowed one. **Recommendations** For WSO2 API Manager version 2.6.0, consider restricting file uploads to only necessary file types to minimize the risk of exploitation. As a temporary workaround, implement additional validation checks on uploaded files to ensure they match the expected file type based on the extension.

Name of the Vulnerable Software and Affected Versions: WSO2 API Manager versions 2.1.0 through 2.6.0 Description: A DOM-based XSS issue exists in the store part of the product, which may allow for malicious script execution. Recommendations: For WSO2 API Manager versions 2.1.0 through 2.6.0, update to a version that includes a fix for this issue, as no specific mitigation measures are provided.

Name of the Vulnerable Software and Affected Versions: WSO2 API Manager versions 2.1.0 through 2.6.0 Description: A reflected XSS issue exists in the carbon part of the product. Recommendations: For versions 2.1.0 through 2.6.0, update to a version that includes a fix for this issue.