Marek Parfianowicz

**Name of the Vulnerable Software and Affected Versions** VMware Spring versions prior to 6.1.13 **Description** The issue concerns improper access controls via `DataBinder` and `String.toLowerCase()`, which has locale-dependent exceptions. This could result in fields not being protected as expected, potentially leading to unauthorized access. **Recommendations** For versions prior to 6.1.13, upgrade the affected components immediately to resolve the issue. As a temporary workaround, consider restricting access to sensitive fields until the upgrade is applied.

Name of the Vulnerable Software and Affected Versions: Atlassian Fisheye and Crucible versions prior to 4.5.1 and 4.6.0 Description: The issue allows remote attackers with write access to an indexed repository to inject arbitrary HTML or JavaScript via a cross-site scripting (XSS) vulnerability. This occurs when a specially crafted repository branch name is used, specifically when trying to display deleted files of the branch. Recommendations: For versions prior to 4.5.1, update to version 4.5.1 or later. For versions prior to 4.6.0, update to version 4.6.0 or later. As a temporary workaround, consider restricting write access to indexed repositories until a patch is applied.