Noriaki Iwasaki

**Name of the Vulnerable Software and Affected Versions** Aterm (affected versions not specified) **Description** A cross-site scripting issue exists in the web management interface. This allows arbitrary scripts to be executed in the web browser of a user accessing the interface from an adjacent network. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apache Jena versions prior to 5.5.0 **Description** Users with administrator access can create database files outside the designated files area of the Fuseki server. **Recommendations** Upgrade to version 5.5.0.

**Name of the Vulnerable Software and Affected Versions** EC-CUBE versions 4.0.0 through 4.1.2 **Description** A DOM-based cross-site scripting issue allows a remote attacker to inject an arbitrary script by having an administrative user of the product visit a specially crafted page. **Recommendations** For versions 4.0.0 through 4.1.2, update to a version that contains a fix for this issue to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** EC-CUBE versions 3.0.0 through 3.0.18-p4 EC-CUBE versions 4.0.0 through 4.1.2 **Description** A directory traversal issue allows a remote authenticated attacker with administrative privileges to obtain the product's directory structure information. **Recommendations** For EC-CUBE versions 3.0.0 through 3.0.18-p4, update to a version outside of this range to mitigate the risk. For EC-CUBE versions 4.0.0 through 4.1.2, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to administrative privileges to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Aterm WG2600HP firmware versions 1.0.2 and earlier Aterm WG2600HP2 firmware versions 1.0.2 and earlier Description: The issue allows remote attackers to inject an arbitrary script via unspecified vectors, which is a cross-site scripting vulnerability. Recommendations: For Aterm WG2600HP firmware versions 1.0.2 and earlier, update to a version later than 1.0.2. For Aterm WG2600HP2 firmware versions 1.0.2 and earlier, update to a version later than 1.0.2.

Name of the Vulnerable Software and Affected Versions: Aterm WG2600HP versions 1.0.2 and earlier Aterm WG2600HP2 versions 1.0.2 and earlier Description: A cross-site request forgery (CSRF) issue allows remote attackers to hijack the authentication of administrators via unspecified vectors. This could potentially lead to unauthorized access to administrative functions. Recommendations: For Aterm WG2600HP versions 1.0.2 and earlier, update to a version later than 1.0.2 to resolve the issue. For Aterm WG2600HP2 versions 1.0.2 and earlier, update to a version later than 1.0.2 to resolve the issue. As a temporary workaround, consider implementing additional authentication measures to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions 5.0.x prior to 5.0.16 Splunk Enterprise versions 6.0.x prior to 6.0.12 Splunk Enterprise versions 6.1.x prior to 6.1.11 Splunk Enterprise versions 6.2.x prior to 6.2.10 Splunk Enterprise versions 6.3.x prior to 6.3.6 Splunk Enterprise versions 6.4.x prior to 6.4.3 Splunk Light versions prior to 6.4.3 **Description** The issue allows attackers to redirect users to arbitrary web sites, potentially leading to phishing attacks. The exact vectors used for the attack are not specified. **Recommendations** For Splunk Enterprise version 5.0.x, update to version 5.0.16 or later. For Splunk Enterprise version 6.0.x, update to version 6.0.12 or later. For Splunk Enterprise version 6.1.x, update to version 6.1.11 or later. For Splunk Enterprise version 6.2.x, update to version 6.2.10 or later. For Splunk Enterprise version 6.3.x, update to version 6.3.6 or later. For Splunk Enterprise version 6.4.x, update to version 6.4.3 or later. For Splunk Light, update to version 6.4.3 or later.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions 6.2.x through 6.2.10 Splunk Enterprise versions 6.3.x through 6.3.5 Splunk Enterprise versions 6.4.x through 6.4.1 Splunk Light versions prior to 6.4.2 **Description** The issue allows attackers to redirect users to arbitrary web sites, potentially leading to phishing attacks. **Recommendations** For Splunk Enterprise versions 6.2.x through 6.2.10, update to version 6.2.11 or later. For Splunk Enterprise versions 6.3.x through 6.3.5, update to version 6.3.6 or later. For Splunk Enterprise versions 6.4.x through 6.4.1, update to version 6.4.2 or later. For Splunk Light versions prior to 6.4.2, update to version 6.4.2 or later.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions 6.3.0 through 6.3.4 Splunk Light versions 6.3.0 through 6.3.4 **Description** A cross-site scripting issue allows an attacker with administrator rights to inject arbitrary web script or HTML via unspecified vectors. **Recommendations** For Splunk Enterprise versions 6.3.0 through 6.3.4, update to version 6.3.5 or later. For Splunk Light versions 6.3.0 through 6.3.4, update to version 6.3.5 or later.

**Name of the Vulnerable Software and Affected Versions** Tenable Nessus versions prior to 6.9 **Description** A cross-site scripting (XSS) issue exists, allowing remote authenticated users to inject arbitrary web script or HTML. This is related to the handling of .nessus files. **Recommendations** For versions prior to 6.9, update to version 6.9 or later to resolve the issue.