Marcin Woloszyn

**Name of the Vulnerable Software and Affected Versions** OpenText Document Sciences xPression versions prior to v4.5SP1 Patch 13 **Description** The issue allows for SQL Injection, specifically through the "/xDashboard/html/jobhistory/downloadSupportFile.action" API endpoint, with the `jobRunId` parameter being vulnerable. An attacker must first authenticate to the application to exploit this issue. **Recommendations** For versions prior to v4.5SP1 Patch 13, update to v4.5SP1 Patch 13 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/xDashboard/html/jobhistory/downloadSupportFile.action" API endpoint and limiting the use of the `jobRunId` parameter until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** OpenText Document Sciences xPression versions prior to v4.5SP1 Patch 13 **Description** The issue allows for SQL Injection, specifically through the `/xAdmin/html/cm doclist view uc.jsp` API endpoint, with the vulnerable parameter being `documentId`. An attacker must first authenticate to the application to exploit this issue. **Recommendations** For versions prior to v4.5SP1 Patch 13, update to v4.5SP1 Patch 13 or later to resolve the issue. As a temporary workaround, consider restricting access to the `/xAdmin/html/cm doclist view uc.jsp` endpoint and limiting the use of the `documentId` parameter until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Hitachi Device Manager versions prior to 8.5.2-01 Hitachi Replication Manager versions prior to 8.5.2-00 **Description** A cross-site scripting issue allows authenticated remote users to execute arbitrary JavaScript code. **Recommendations** For Hitachi Device Manager versions prior to 8.5.2-01, update to version 8.5.2-01 or later. For Hitachi Replication Manager versions prior to 8.5.2-00, update to version 8.5.2-00 or later.