Mike Cole

**Name of the Vulnerable Software and Affected Versions** Apache OFBiz versions prior to 24.09.06 **Description** Improper Authentication occurs due to a password-change logic flaw, which can lead to Remote Code Execution (RCE), a process where an attacker can execute arbitrary commands on the target machine. **Recommendations** Upgrade to version 24.09.06.

**Name of the Vulnerable Software and Affected Versions** OpenGrok version 1.14.1 **Description** The application reflects unsanitized user input into the HTML output, leading to a reflected Cross-Site Scripting (XSS) issue when producing the cross reference page. This occurs due to improper handling of the `revision` parameter. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apache Syncope versions 3.0.0 through 3.0.13 Apache Syncope versions 4.0.0 through 4.0.1 **Description** Apache Syncope allows a malicious administrator to inject Groovy code that can be executed remotely by a running Apache Syncope Core instance. The software offers the ability to extend its base behavior through custom Java or Groovy interface implementations, with Groovy being attractive due to its runtime reload capability. This feature can be exploited to inject and execute malicious code. **Recommendations** Upgrade to Apache Syncope version 3.0.14 Upgrade to Apache Syncope version 4.0.2

**Name of the Vulnerable Software and Affected Versions** Files versions 0.16.9 and below **Description** The File Move functionality does not contain logic that prevents injection of arbitrary JavaScript, potentially leading to Browser JS code execution in the context of the user’s session. **Recommendations** Update to version 0.16.10 or later.

**Name of the Vulnerable Software and Affected Versions** Files versions 0.16.9 and below **Description** Files, a module for managing files inside spaces and user profiles, lacks logic to prevent the exploitation of backend SQL queries without direct output. This could potentially allow unauthorized data access. **Recommendations** Update to version 0.16.10 or later.

**Name of the Vulnerable Software and Affected Versions** Apache NiFi versions prior to 1.8.0 **Description** The issue occurs when a client request to a cluster node is replicated to other nodes for verification, and the Content-Length is forwarded. Specifically, on a DELETE request, the body is ignored, but if the initial request had a Content-Length value other than 0, the receiving nodes would wait for the body and eventually timeout. **Recommendations** For Apache NiFi versions prior to 1.8.0, upgrade to Apache NiFi 1.8.0 or a later version to apply the fix that checks DELETE requests and overwrites non-zero Content-Length header values.

**Name of the Vulnerable Software and Affected Versions** Apache NiFi versions prior to 1.8.0 **Description** The template upload API endpoint is susceptible to a CSRF attack when combined with ARP spoofing and a man-in-the-middle (MiTM) attack. This complex attack vector requires client certificate authentication, same subnet access, and the injection of malicious code into an unprotected website that the targeted user later visits. The potential damage from this attack warrants a severe severity level. **Recommendations** For Apache NiFi versions prior to 1.8.0, upgrade to version 1.8.0 or later to apply the Cross-Origin Resource Sharing (CORS) policy request filtering fix.

Name of the Vulnerable Software and Affected Versions: Apache NiFi versions prior to 1.4.0 Apache NiFi versions prior to 1.5.0-RC1 Description: The issue allows any authenticated user to upload a template containing malicious code, potentially causing a denial of service via Java deserialization attack. Additionally, an attacker can perform XXE attacks through JAXB. Recommendations: For Apache NiFi versions prior to 1.4.0, upgrade to Apache NiFi 1.4.0 or later to properly handle Java deserialization and mitigate the risk of denial of service attacks. For Apache NiFi versions prior to 1.5.0-RC1, upgrade to Apache NiFi 1.5.0-RC1 or later to prevent XXE attacks through JAXB.

Name of the Vulnerable Software and Affected Versions: Apache NiFi versions prior to 1.5.0 Description: A malicious host header in an incoming HTTP request could cause Apache NiFi to load resources from an external server. Recommendations: For versions prior to 1.5.0, upgrade to Apache NiFi 1.5.0 or a later version to apply the fix that sanitizes host headers and compares them to a controlled whitelist.

**Name of the Vulnerable Software and Affected Versions** Apache NiFi versions prior to 1.4.0 **Description** The issue allows an authorized user to upload a template containing malicious code, which can then access sensitive files via an XML External Entity (XXE) attack. This occurs due to improper handling of XML External Entities. **Recommendations** For Apache NiFi versions prior to 1.4.0, upgrade to Apache NiFi 1.4.0 or a later version to properly handle XML External Entities and prevent XXE attacks.