Owais Zaman

Name of the Vulnerable Software and Affected Versions: Oracle AutoVue version 21.0 Description: The issue is related to insufficient access control in the Security component of Oracle AutoVue, allowing a remote attacker to modify, add, or delete data using the HTTP protocol. This can result in unauthorized access to some of Oracle AutoVue's accessible data. Recommendations: For Oracle AutoVue version 21.0, consider restricting access to the Security component until a patch is available. As a temporary workaround, limit the use of HTTP protocol to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Primavera P6 Enterprise Project Portfolio Management versions 16.2.0.0 through 16.2.19.3 Primavera P6 Enterprise Project Portfolio Management versions 17.12.0.0 through 17.12.17.0 Primavera P6 Enterprise Project Portfolio Management versions 18.8.0.0 through 18.8.18.0 Primavera P6 Enterprise Project Portfolio Management versions 19.12.1.0 through 19.12.3.0 Primavera P6 Enterprise Project Portfolio Management versions 20.1.0.0 through 20.2.0.0 **Description** The issue is related to insufficient access control in the Project Manager component of the Primavera P6 Enterprise Project Portfolio Management product. It allows a low-privileged attacker with network access via HTTP to compromise the system. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products. The attacks can result in unauthorized update, insert, or delete access to some accessible data, as well as unauthorized read access to a subset of accessible data. **Recommendations** For versions 16.2.0.0 through 16.2.19.3, update to a version outside of this range to mitigate the risk. For versions 17.12.0.0 through 17.12.17.0, update to a version outside of this range to mitigate the risk. For versions 18.8.0.0 through 18.8.18.0, update to a version outside of this range to mitigate the risk. For versions 19.12.1.0 through 19.12.3.0, update to a version outside of this range to mitigate the risk. For versions 20.1.0.0 through 20.2.0.0, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the Project Manager component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Primavera P6 Enterprise Project Portfolio Management versions 16.2.0.0 through 16.2.19.3 Primavera P6 Enterprise Project Portfolio Management versions 17.12.0.0 through 17.12.17.0 Primavera P6 Enterprise Project Portfolio Management versions 18.8.0.0 through 18.8.18.0 Primavera P6 Enterprise Project Portfolio Management versions 19.12.1.0 through 19.12.3.0 Primavera P6 Enterprise Project Portfolio Management versions 20.1.0.0 through 20.2.0.0 **Description** The issue is related to insufficient access control in the Project Manager component of the Primavera P6 Enterprise Project Portfolio Management product. It allows a low-privileged attacker with network access via HTTP to compromise the system. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products. The exploitation can result in unauthorized update, insert, or delete access to some accessible data, as well as unauthorized read access to a subset of accessible data and the ability to cause a partial denial of service. **Recommendations** For versions 16.2.0.0 through 16.2.19.3, update to a version outside of this range to mitigate the risk. For versions 17.12.0.0 through 17.12.17.0, update to a version outside of this range to mitigate the risk. For versions 18.8.0.0 through 18.8.18.0, update to a version outside of this range to mitigate the risk. For versions 19.12.1.0 through 19.12.3.0, update to a version outside of this range to mitigate the risk. For versions 20.1.0.0 through 20.2.0.0, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the Project Manager component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Primavera P6 Enterprise Project Portfolio Management versions 15.1.0.0 through 15.2.18.7 Primavera P6 Enterprise Project Portfolio Management versions 16.1.0.0 through 16.2.19.0 Primavera P6 Enterprise Project Portfolio Management versions 17.1.0.0 through 17.12.16.0 Primavera P6 Enterprise Project Portfolio Management versions 18.1.0.0 through 18.8.16.0 Primavera P6 Enterprise Project Portfolio Management version 19.12.0.0 **Description** The vulnerability is related to insufficient access control in the Web Access component of the Primavera P6 Enterprise Project Portfolio Management application. It allows a remote attacker to gain unauthorized access to protected information or modify, add, or delete data using the HTTP protocol. Successful attacks require human interaction and can significantly impact additional products, resulting in unauthorized update, insert, or delete access to some data, as well as unauthorized read access to a subset of accessible data. **Recommendations** For versions 15.1.0.0 through 15.2.18.7, update to a version outside of this range to mitigate the risk. For versions 16.1.0.0 through 16.2.19.0, update to a version outside of this range to mitigate the risk. For versions 17.1.0.0 through 17.12.16.0, update to a version outside of this range to mitigate the risk. For versions 18.1.0.0 through 18.8.16.0, update to a version outside of this range to mitigate the risk. For version 19.12.0.0, update to a newer version to mitigate the risk.

**Name of the Vulnerable Software and Affected Versions** Oracle AutoVue version 21.0.2 **Description** The issue is related to a lack of protection for service data in the Security component of Oracle AutoVue, allowing an unauthenticated attacker with network access via HTTP to compromise Oracle AutoVue. Successful attacks can result in unauthorized read access to a subset of Oracle AutoVue accessible data. **Recommendations** For Oracle AutoVue version 21.0.2, at the moment, there is no information about a newer version that contains a fix for this vulnerability.