Mikhail Firstov

**Name of the Vulnerable Software and Affected Versions** Advantech WebAccess versions prior to 8.1 **Description** The issue is related to the external control of a file name or path in the Advantech WebAccess browser plugin, which can be exploited by a remote attacker to execute arbitrary code. **Recommendations** For Advantech WebAccess versions prior to 8.1, update to version 8.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Advantech WebAccess versions prior to 8.1 **Description** The issue is related to a cross-site request forgery (CSRF) vulnerability, which can be exploited by a remote attacker to hijack the authentication of arbitrary users. This can be achieved by using special scripts to mimic trusted accounts. **Recommendations** For Advantech WebAccess versions prior to 8.1, update to version 8.1 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive areas of the application to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Advantech WebAccess versions prior to 8.1 **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This vulnerability allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors due to inadequate protection of the web page structure during authentication. The exploitation of this issue may enable a remote attacker to inject arbitrary web scripts or HTML code because of incorrect filtering of user-input data. **Recommendations** For Advantech WebAccess versions prior to 8.1, update to version 8.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Oracle Fusion Middleware version 10.1.3.5 **Description** The issue is related to HTTP Request Handling in the Oracle Containers for J2EE component. It allows remote attackers to affect integrity. The vulnerability is also described as being related to insufficient checking of values in HTTP headers, which can be exploited by adding special CRLF symbols to the header value, allowing an attacker to form a fake HTTP response and display arbitrary data to the user in the context of the vulnerable application. **Recommendations** For Oracle Fusion Middleware version 10.1.3.5, consider restricting access to the HTTP Request Handling component until a patch is available. As a temporary workaround, avoid using HTTP headers that can be manipulated by an attacker. At the moment, there is no information about a newer version that contains a fix for this vulnerability.