Oliver Haufe

**Name of the Vulnerable Software and Affected Versions** SOS JobScheduler versions 1.11 through 1.13.2 **Description** A large or infinite loop issue in the JOC Cockpit component allows attackers to parameterize housekeeping jobs, potentially exhausting system resources and resulting in a denial of service. **Recommendations** For SOS JobScheduler versions 1.11 through 1.13.2, consider restricting access to the JOC Cockpit component to minimize the risk of exploitation until a patch is available.

**Name of the Vulnerable Software and Affected Versions** SOS JobScheduler versions 1.12 through 1.13.2 **Description** A vulnerability exists in the JOC Cockpit component, allowing attackers to read files from the server via an entity declaration in XML documents used for job and order run-time settings. **Recommendations** For SOS JobScheduler versions 1.12 through 1.13.2, consider disabling the XML External Entity (XEE) processing in the JOC Cockpit component until a patch is available. Restrict access to sensitive files on the server to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SOS JobScheduler versions 1.11 through 1.13.2 **Description** A cross-site scripting (XSS) issue allows attackers to inject arbitrary web script or HTML via JSON properties available from the REST API. This affects the JOC Cockpit component. **Recommendations** For SOS JobScheduler versions 1.11 through 1.13.2, consider restricting access to the REST API to minimize the risk of exploitation until a patch is available. As a temporary workaround, avoid using JSON properties that allow arbitrary web script or HTML injection in the JOC Cockpit component.

**Name of the Vulnerable Software and Affected Versions** JobScheduler versions prior to 1.6.4246 JobScheduler versions 7.x prior to 1.7.4241 **Description** The issue allows remote attackers to cause a denial of service and read arbitrary files or directories via a request containing an XML external entity declaration in conjunction with an entity reference. **Recommendations** For JobScheduler versions prior to 1.6.4246, update to version 1.6.4246 or later. For JobScheduler versions 7.x prior to 1.7.4241, update to version 1.7.4241 or later.

**Name of the Vulnerable Software and Affected Versions** SOS JobScheduler versions prior to 1.6.4246 SOS JobScheduler versions 1.7.x prior to 1.7.4241 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `location.hash` property. **Recommendations** For SOS JobScheduler versions prior to 1.6.4246, update to version 1.6.4246 or later. For SOS JobScheduler versions 1.7.x prior to 1.7.4241, update to version 1.7.4241 or later.

**Name of the Vulnerable Software and Affected Versions** SOS JobScheduler versions prior to 1.6.4246 SOS JobScheduler versions 1.7.x prior to 1.7.4241 **Description** A directory traversal issue exists in the JobScheduler Operations Center (JOC) that allows remote authenticated users with the info permission to read arbitrary files in the webroot. **Recommendations** For SOS JobScheduler versions prior to 1.6.4246, update to version 1.6.4246 or later. For SOS JobScheduler versions 1.7.x prior to 1.7.4241, update to version 1.7.4241 or later.