Lutz Wolf

**Name of the Vulnerable Software and Affected Versions** Oracle Agile PLM Framework version 9.3.6 **Description** The issue is related to insufficient input validation in the Agile Integration Services component, allowing a low-privileged attacker with network access via HTTP to compromise the Oracle Agile PLM Framework. This can result in the takeover of the system, impacting confidentiality, integrity, and availability. The vulnerability is easily exploitable and can significantly affect additional products. Oracle has released a patch to address this flaw as part of its January 2025 Critical Patch Update, which includes fixes for 318 vulnerabilities across its products. **Recommendations** For version 9.3.6, update to a newer version that includes the fix for this issue, as provided in Oracle's January 2025 Critical Patch Update. As a temporary workaround, consider restricting access to the Agile Integration Services component to minimize the risk of exploitation. Avoid using the vulnerable component until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Oracle Agile PLM version 9.3.6 **Description** An incorrect authorization issue exists in the Oracle Agile PLM Framework of Oracle Supply Chain, specifically within the Software Development Kit Process Extension component. This flaw is caused by insufficient input validation and allows an unauthenticated remote attacker with network access via HTTP to bypass authentication. Successful exploitation enables the attacker to disclose protected information, access critical data, or download sensitive files from the system. This issue has been actively exploited in real-world attacks. **Recommendations** Apply security patches for version 9.3.6 immediately.

**Name of the Vulnerable Software and Affected Versions** Roundcube Webmail versions 1.5.0 through 1.5.6 Roundcube Webmail versions 1.6.0 through 1.6.6 **Description** The issue is related to an incomplete fix for a previous problem and allows command injection via `im convert path` and `im identify path`. This can potentially allow a remote attacker to elevate their privileges. The problem exists because of insufficient data cleaning at the management level. **Recommendations** For Roundcube Webmail versions 1.5.0 through 1.5.6, update to version 1.5.7 or later. For Roundcube Webmail versions 1.6.0 through 1.6.6, update to version 1.6.7 or later. As a temporary workaround, consider restricting access to the `im convert path` and `im identify path` functions until a patch is available.

Name of the Vulnerable Software and Affected Versions: Roundcube Webmail versions prior to 1.5.7 and 1.6.x prior to 1.6.7 Description: The issue is related to a stored cross-site scripting vulnerability in the Roundcube webmail software, allowing an attacker to execute JavaScript code on the user's page. This vulnerability can be exploited by sending a malicious email to a user, which then executes the malicious code when the email is opened. The vulnerability is caused by improper filtering of SVG tags, specifically the `animate` attributes. It is reported that over 2.7 million services are potentially affected, and there have been real-world incidents where this issue was exploited to steal credentials and compromise emails. Recommendations: For versions prior to 1.5.7 and 1.6.x prior to 1.6.7, update to version 1.5.7 or 1.6.7 or later to resolve the issue. As a temporary workaround, consider disabling the use of SVG elements in emails until a patch is applied. Restrict access to the vulnerable Roundcube webmail software to minimize the risk of exploitation. Avoid using the `animate` attributes in SVG elements in emails until the issue is resolved.