Maksymilian Kubiak

**Name of the Vulnerable Software and Affected Versions** Ready versions installed at the turn of 2021 and 2022 **Description** The issue allows users to upload files of any type and extension without restriction in the Profile section of the Ready application. If the server is misconfigured, it can result in Remote Code Execution. This misconfiguration was present by default in installations from late 2021 and early 2022. **Recommendations** For versions installed at the turn of 2021 and 2022, ensure proper server configuration to prevent Remote Code Execution, as described in the Required Configuration for Exposure section.

**Name of the Vulnerable Software and Affected Versions** Ready File Explorer (affected versions not specified) **Description** A cross-site scripting (XSS) issue in the upload functionality of Ready File Explorer allows the injection of arbitrary JavaScript code in the filename. The injected content is stored on the server and is executed every time a user interacts with the uploaded file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ready (affected versions not specified) **Description** The issue allows a low-privileged user to provide a link to a local file using the `file://` protocol, enabling the attacker to read the content of the file. This can be used to read the content of system files. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ready (affected versions not specified) **Description** The issue arises from the improper neutralization of user input in a file search function within the invoices module, allowing for SQL Injection attacks. This can be exploited by a low-privileged user. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CyberArk Endpoint Privilege Manager in SaaS version 24.7.1 **Description** The issue allows IP address spoofing by providing a custom value in the `X-Forwarded-For` header, which compromises the action logging mechanism's accountability. **Recommendations** For version 24.7.1, consider restricting the use of the `X-Forwarded-For` header until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CyberArk Endpoint Privilege Manager in SaaS version 24.7.1 **Description** The issue allows an attacker with access to the Administration panel, specifically the "Role Management" tab, to inject code by adding a new role in the `name` field. However, the risk of exploiting this issue is reduced due to the required additional error that allows bypassing the Content-Security-Policy policy, which mitigates JS code execution while still allowing HTML injection. **Recommendations** For version 24.7.1, consider restricting access to the "Role Management" tab in the Administration panel to minimize the risk of exploitation. As a temporary workaround, avoid using the `name` field in the "Role Management" tab until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CyberArk Endpoint Privilege Manager version 24.7.1 **Description** The issue allows for HTML code injection into the page content through the `content` field in the Application definition page. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. **Recommendations** For version 24.7.1, consider restricting access to the `content` field in the Application definition page to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CyberArk Endpoint Privilege Manager in SaaS version 24.7.1 **Description** The application does not limit the number or frequency of user interactions, such as the number of incoming requests. At the "/EPMUI/VfManager.asmx/ChangePassword" endpoint, it is possible to perform a brute force attack on the current password in use. **Recommendations** For CyberArk Endpoint Privilege Manager in SaaS version 24.7.1, consider implementing rate limiting on the "/EPMUI/VfManager.asmx/ChangePassword" endpoint to prevent brute force attacks until a patch is available. As a temporary workaround, restrict access to this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** CyberArk Endpoint Privilege Manager in SaaS version 24.7.1 **Description** The issue concerns code injection in the "modalDlgMsgInternal" parameter via POST in the "/EPMUI/ModalDlgHandler.ashx?value=showReadonlyDlg" endpoint, which is then executed in the browser. The risk of exploitation is somewhat mitigated by the need to bypass the Content-Security-Policy. **Recommendations** For version 24.7.1, consider restricting access to the "/EPMUI/ModalDlgHandler.ashx?value=showReadonlyDlg" endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the `modalDlgMsgInternal` parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: GraphQL (affected versions not specified) Description: A vulnerability was found in GraphQL due to improper access controls on the `graphql introspection query`. This flaw allows unauthorized users to retrieve a comprehensive list of available queries and mutations. Exposure to this flaw increases the attack surface, as it can facilitate the discovery of flaws or errors specific to the application's GraphQL implementation. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the `graphql introspection query` to minimize the risk of exploitation. Apply available patches immediately to mitigate risks.

Name of the Vulnerable Software and Affected Versions: OpenShift (affected versions not specified) Description: A denial of service (DoS) issue was found in OpenShift, related to the GraphQL batching functionality. This allows attackers to send multiple queries within a single request, potentially submitting a request with thousands of aliases in one query. The issue leads to excessive resource consumption, causing application unavailability for legitimate users. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LuckyWP Table of Contents WordPress plugin versions 2.1.4 and earlier **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks. This can occur even when the unfiltered html capability is disallowed, for example, in a multisite setup. **Recommendations** For LuckyWP Table of Contents WordPress plugin versions 2.1.4 and earlier, update to a version that addresses the sanitization and escaping of settings to prevent Stored Cross-Site Scripting attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Site Reviews WordPress plugin versions prior to 7.0.0 **Description** The issue allows an attacker to manipulate client IP addresses retrieved from potentially untrusted headers, which can be used to bypass IP-based blocking. **Recommendations** For versions prior to 7.0.0, update to version 7.0.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** BMC Control-M versions 9.0.20 through 9.0.21 **Description** The issue is related to a lack of input sanitization, allowing logged-in users to manipulate generated web pages via injection of HTML code. This could lead to a successful phishing attack, for example, by tricking users into using a hyperlink pointing to a website controlled by an attacker. **Recommendations** For version 9.0.20, update to version 9.0.20.238 to resolve the issue. For version 9.0.21, update to version 9.0.21.200 to resolve the issue. As a temporary workaround, consider restricting access to generated web pages to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** BMC Control-M versions 9.0.20 through 9.0.21 **Description** The issue arises when BMC Control-M loads all Dynamic Link Libraries (DLL) from a directory that grants Write and Read permissions to all users upon user login. This can be leveraged to load potentially malicious libraries, which will execute with the application's privileges. **Recommendations** For version 9.0.20, update to version 9.0.20.238 to resolve the issue. For version 9.0.21, update to version 9.0.21.201 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** BMC Control-M versions 9.0.20 through 9.0.21 **Description** The issue is related to improper authorization in the report management and creation module, allowing logged-in users to read and make unauthorized changes to any reports within the application, even without proper permissions. The attacker must know the unique identifier of the report they want to manipulate. **Recommendations** For version 9.0.20, update to version 9.0.20.238 to resolve the issue. For version 9.0.21, update to version 9.0.21.201 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Enterprise Architect version 16.0.1605 **Description** The issue allows attackers to run arbitrary SQL commands via the `Find` parameter in the Select Classifier dialog box. This can be exploited by attackers to execute unauthorized SQL queries. **Recommendations** For Enterprise Architect version 16.0.1605, consider restricting access to the Select Classifier dialog box until a patch is available. As a temporary workaround, avoid using the `Find` parameter in the affected dialog box to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** IBM i Access Client Solutions versions 1.1.2 through 1.1.4 IBM i Access Client Solutions versions 1.1.4.3 through 1.1.9.3 **Description** The issue allows a local attacker to obtain the password to other systems by decoding the key for an encrypted password. This can be achieved if the attacker gains access to the encrypted password. **Recommendations** For versions 1.1.2 through 1.1.4, consider updating to a version outside of this range to mitigate the risk. For versions 1.1.4.3 through 1.1.9.3, consider updating to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the encrypted password storage to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** IBM i Access Client Solutions versions 1.1.2 through 1.1.4 IBM i Access Client Solutions versions 1.1.4.3 through 1.1.9.3 **Description** The issue is related to insufficient authorization procedure in the IBM i Access Client Solutions, allowing a remote attacker to execute arbitrary code due to improper authority checks. This could enable the attacker to perform operations on the PC under the user's authority. **Recommendations** For versions 1.1.2 through 1.1.4, update to a version outside of this range to mitigate the risk. For versions 1.1.4.3 through 1.1.9.3, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to sensitive operations on the PC to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** IBM i Access Client Solutions versions 1.1.2 through 1.1.4 IBM i Access Client Solutions versions 1.1.4.3 through 1.1.9.3 **Description** The issue allows an attacker to obtain a decryption key due to improper authority checks. **Recommendations** For versions 1.1.2 through 1.1.4, update to a version outside of this range to resolve the issue. For versions 1.1.4.3 through 1.1.9.3, update to a version outside of this range to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.