Maxence Schmitt

**Name of the Vulnerable Software and Affected Versions** IBM DataPower Gateway versions 10.0.1, 2018.4.1, and V10CD **Description** The issue allows an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts due to a cross-site request forgery vulnerability. **Recommendations** For IBM DataPower Gateway version 10.0.1, update to a version that includes a fix for this issue. For IBM DataPower Gateway version 2018.4.1, update to a version that includes a fix for this issue. For IBM DataPower Gateway version V10CD, update to a version that includes a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** IBM DataPower Gateway versions 10.0.1.0 through 10.0.1.8 IBM DataPower Gateway versions 10.0.2.0 through 10.0.4.0 IBM DataPower Gateway version 10.5.0.0 IBM DataPower Gateway versions 2018.4.1.0 through 2018.4.1.21 **Description** This issue allows users to embed arbitrary JavaScript code in the Web UI, altering the intended functionality and potentially leading to credentials disclosure within a trusted session. **Recommendations** For versions 10.0.1.0 through 10.0.1.8, update to a fixed version to resolve the issue. For versions 10.0.2.0 through 10.0.4.0, update to a fixed version to resolve the issue. For version 10.5.0.0, update to a fixed version to resolve the issue. For versions 2018.4.1.0 through 2018.4.1.21, update to a fixed version to resolve the issue. As a temporary workaround, consider restricting access to the Web UI to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** IBM DataPower Gateway versions 10.0.1.0 through 10.0.1.8 IBM DataPower Gateway versions 10.0.2.0 through 10.0.4.0 IBM DataPower Gateway version 10.5.0.0 IBM DataPower Gateway versions 2018.4.1.0 through 2018.4.1.21 **Description** The issue is related to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this to expose sensitive information or consume memory resources. **Recommendations** For versions 10.0.1.0 through 10.0.1.8, update to a version that includes the fix for the XML External Entity Injection vulnerability. For versions 10.0.2.0 through 10.0.4.0, update to a version that includes the fix for the XML External Entity Injection vulnerability. For version 10.5.0.0, update to a version that includes the fix for the XML External Entity Injection vulnerability. For versions 2018.4.1.0 through 2018.4.1.21, update to a version that includes the fix for the XML External Entity Injection vulnerability.

**Name of the Vulnerable Software and Affected Versions** IBM DataPower Gateway versions 10.0.1.0 through 10.0.1.8 IBM DataPower Gateway versions 10.0.2.0 through 10.0.4.0 IBM DataPower Gateway version 10.5.0.0 IBM DataPower Gateway versions 2018.4.1.0 through 2018.4.1.21 **Description** The issue is related to server-side request forgery (SSRF), which may allow an authenticated attacker to send unauthorized requests from the system. This could potentially lead to network enumeration or facilitate other attacks. **Recommendations** For versions 10.0.1.0 through 10.0.1.8, update to a version outside of this range to resolve the issue. For versions 10.0.2.0 through 10.0.4.0, update to a version outside of this range to resolve the issue. For version 10.5.0.0, update to a newer version to resolve the issue. For versions 2018.4.1.0 through 2018.4.1.21, update to a version outside of this range to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** IBM DataPower Gateway versions 10.0.1.0 through 10.0.1.8 IBM DataPower Gateway versions 10.0.2.0 through 10.0.4.0 IBM DataPower Gateway version 10.5.0.0 IBM DataPower Gateway versions 2018.4.1.0 through 2018.4.1.21 **Description** This issue allows users to embed arbitrary JavaScript code in the Web UI, altering the intended functionality and potentially leading to credentials disclosure within a trusted session. **Recommendations** For versions 10.0.1.0 through 10.0.1.8, update to a fixed version to resolve the issue. For versions 10.0.2.0 through 10.0.4.0, update to a fixed version to resolve the issue. For version 10.5.0.0, update to a fixed version to resolve the issue. For versions 2018.4.1.0 through 2018.4.1.21, update to a fixed version to resolve the issue. As a temporary workaround, consider restricting access to the Web UI to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ForgeRock Access Management versions prior to 7.1.1 ForgeRock Access Management versions 6.5 prior to 6.5.4 ForgeRock Access Management versions prior to 6.5 **Description** The issue is related to missing access control, allowing remote unauthenticated attackers to hijack sessions, including potentially admin-level sessions. **Recommendations** For ForgeRock Access Management versions prior to 7.1.1, update to version 7.1.1 or later. For ForgeRock Access Management versions 6.5 prior to 6.5.4, update to version 6.5.4 or later. For ForgeRock Access Management versions prior to 6.5, update to version 6.5 or later.