Mohamed Sayed

Name of the Vulnerable Software and Affected Versions: Cisco Unified Communications Manager versions (affected versions not specified) Cisco Unified Communications Manager Session Management Edition versions (affected versions not specified) Description: The issue is related to the improper inclusion of sensitive information in downloadable files, which could allow an authenticated, remote attacker to access sensitive information on an affected device. An attacker could exploit this by authenticating to the device and issuing specific commands, potentially obtaining hashed credentials of system users. The attacker would need valid user credentials with elevated privileges to exploit this issue. Recommendations: For Cisco Unified Communications Manager, restrict access to downloadable files until a patch is available. For Cisco Unified Communications Manager Session Management Edition, consider disabling the ability to download sensitive files as a temporary workaround until a fix is provided. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Unified Communications Manager versions (affected versions not specified) Cisco Unified Communications Manager IM & Presence Service versions (affected versions not specified) Cisco Unified Communications Manager Session Management Edition versions (affected versions not specified) Cisco Unity Connection versions (affected versions not specified) **Description** The web-based management interface of the affected Cisco products does not properly validate user-supplied input, allowing an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against an interface user. An attacker could exploit this issue by persuading an interface user to click a crafted link, potentially executing arbitrary script code in the context of the affected interface or accessing sensitive browser-based information. **Recommendations** For Cisco Unified Communications Manager, update to a version that properly validates user-supplied input to prevent cross-site scripting attacks. For Cisco Unified Communications Manager IM & Presence Service, update to a version that properly validates user-supplied input to prevent cross-site scripting attacks. For Cisco Unified Communications Manager Session Management Edition, update to a version that properly validates user-supplied input to prevent cross-site scripting attacks. For Cisco Unity Connection, update to a version that properly validates user-supplied input to prevent cross-site scripting attacks. As a temporary workaround, consider restricting access to the web-based management interface to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Cisco Unified Communications Manager versions (affected versions not specified) Cisco Unified Communications Manager IM & Presence Service versions (affected versions not specified) Cisco Unified Communications Manager Session Management Edition versions (affected versions not specified) Cisco Unity Connection versions (affected versions not specified) **Description** The web-based management interface of the affected Cisco products does not properly validate user-supplied input, allowing an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against an interface user. An attacker could exploit this issue by persuading an interface user to click a crafted link, potentially executing arbitrary script code in the context of the affected interface or accessing sensitive browser-based information. **Recommendations** For Cisco Unified Communications Manager, update to a version that properly validates user-supplied input to prevent XSS attacks. For Cisco Unified Communications Manager IM & Presence Service, update to a version that properly validates user-supplied input to prevent XSS attacks. For Cisco Unified Communications Manager Session Management Edition, update to a version that properly validates user-supplied input to prevent XSS attacks. For Cisco Unity Connection, update to a version that properly validates user-supplied input to prevent XSS attacks. As a temporary workaround, consider restricting access to the web-based management interface to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Microsoft Exchange Server (affected versions not specified) Description: A spoofing issue exists in Microsoft Exchange Server, related to errors in information representation by the user interface. This could allow a remote attacker to conduct spoofing attacks, potentially impersonating a user. The estimated number of potentially affected devices worldwide is not provided. There is no information about real-world incidents where this issue was exploited. Recommendations: To prevent these types of attacks, download inline images from different DNS domains than the rest of OWA. Please see further instructions in the FAQ to put in place these mitigations. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IBM Security Identity Governance and Intelligence versions 5.2.3.2 through 5.2.4 **Description** The issue allows a remote attacker to send specially-crafted SQL statements, potentially enabling the attacker to view information in the back-end database. This is achieved through SQL injection. **Recommendations** For versions 5.2.3.2 and 5.2.4, consider restricting access to the database to minimize the risk of exploitation until a patch is available.

**Name of the Vulnerable Software and Affected Versions** IBM Security Identity Governance and Intelligence versions 5.2.3.2 through 5.2.4 **Description** The issue is related to missing authentication in the survey application of IBM Security Identity Governance and Intelligence, which could allow an attacker to obtain sensitive information. **Recommendations** For versions 5.2.3.2 and 5.2.4, consider implementing additional authentication mechanisms for the survey application to prevent unauthorized access until a patch is available.