Pavel Polischouk

**Name of the Vulnerable Software and Affected Versions** KIE server and Business Central versions prior to 7.21.0.Final **Description** A security issue has been reported where `username` and `password` are stored as plaintext Java properties. This allows any application deployed on the same server to access these properties, potentially granting access to other services. **Recommendations** For versions prior to 7.21.0.Final, update to version 7.21.0.Final or later to resolve the issue. As a temporary workaround, consider restricting access to the server to minimize the risk of exploitation. Avoid using plaintext storage for sensitive information like `username` and `password` until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** JBoss BRMS 6 and BPM Suite 6 **Description** The issue is related to a stored XSS flaw in the business process editor, caused by an incomplete fix. Remote, authenticated attackers with privileges to create business processes can store scripts that are not properly sanitized, allowing them to be executed when shown to other users, including administrators. **Recommendations** For JBoss BRMS 6 and BPM Suite 6, consider restricting access to the business process editor to minimize the risk of exploitation until a proper fix is applied. As a temporary workaround, ensure that all scripts created within business processes are manually sanitized before being displayed to other users.

Name of the Vulnerable Software and Affected Versions: Red Hat JBoss BPM Suite versions prior to 6.4.2 Red Hat JBoss Data Virtualization & Services versions prior to 6.4.3 Description: A security issue was found in the Dashbuilder login page, which could be opened in an IFRAME. This allowed for the interception and manipulation of requests, making it possible for an attacker to trick a user into performing arbitrary actions in the Console through clickjacking. Recommendations: For Red Hat JBoss BPM Suite versions prior to 6.4.2, update to version 6.4.2 or later to resolve the issue. For Red Hat JBoss Data Virtualization & Services versions prior to 6.4.3, update to version 6.4.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Red Hat JBoss BPM Suite versions prior to 6.3.3 **Description** A cross-site scripting (XSS) issue exists, allowing remote authenticated users with permission to create business processes to inject arbitrary web script or HTML. **Recommendations** For versions prior to 6.3.3, update to version 6.3.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Dashbuilder versions prior to 0.6.0.Beta1 **Description** The issue allows remote attackers to execute arbitrary SQL commands via a data set lookup filter in the Data Set Authoring or Displayer editor UI. This is due to a SQL injection vulnerability in the `getStringParameterSQL` method. **Recommendations** For versions prior to 0.6.0.Beta1, update to version 0.6.0.Beta1 or later to resolve the issue. As a temporary workaround, consider restricting access to the `getStringParameterSQL` method in the `DefaultDialect.java` file until a patch is available. Avoid using the data set lookup filter in the Data Set Authoring or Displayer editor UI until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** JBoss Overlord Run Time Governance (RTGov) version 1.0 for JBossAS **Description** The issue allows remote authenticated users to execute arbitrary Java code via an MVFLEX Expression Language (MVEL) expression. **Recommendations** For JBoss Overlord Run Time Governance (RTGov) version 1.0 for JBossAS, consider restricting access to MVEL expressions to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apple QuickTime versions prior to 7.7.3 **Description** The issue allows remote attackers to execute arbitrary code or cause a denial of service via a crafted style element in a QuickTime TeXML file. This is due to multiple buffer overflows in the affected software. **Recommendations** For versions prior to 7.7.3, update to version 7.7.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apple QuickTime versions prior to 7.7.3 **Description** The issue is related to a buffer overflow in the plugin, which can be triggered by a crafted MIME type. This can lead to the execution of arbitrary code or cause a denial of service, resulting in an application crash. **Recommendations** For versions prior to 7.7.3, update to version 7.7.3 or later to resolve the issue.