Pawel Gocyla

**Name of the Vulnerable Software and Affected Versions** Micro Focus Verastream Host Integrator versions 7.8 Update 1 and earlier **Description** The issue is related to an XML External Entity vulnerability, which could allow the control of a web browser and hijacking of user sessions. **Recommendations** For versions 7.8 Update 1 and earlier, update to a version later than 7.8 Update 1 to resolve the issue. As a temporary workaround, consider restricting web browser access to minimize the risk of session hijacking.

**Name of the Vulnerable Software and Affected Versions** Micro Focus Verastream Host Integrator versions 7.8 Update 1 and earlier **Description** The issue is a Reflected Cross-Site Scripting vulnerability that could allow disclosure of confidential data. **Recommendations** For versions 7.8 Update 1 and earlier, update to a version later than 7.8 Update 1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** PeopleSoft Enterprise PeopleTools versions 8.56 through 8.58 **Description** The issue is related to insufficient access control in the Portal component of Oracle PeopleSoft Enterprise PeopleTools, allowing an unauthenticated attacker with logon to the infrastructure to compromise PeopleSoft Enterprise PeopleTools, potentially resulting in a takeover of the application. **Recommendations** For versions 8.56 through 8.58, update to a version that includes the fix for this issue to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Identity Services Engine (ISE) (affected versions not specified) **Description** A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected device. The vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** macOS Catalina versions prior to 10.15.1 **Description** An input validation issue was addressed with improved input validation. An attacker in a privileged network position may be able to leak sensitive user information. **Recommendations** For macOS Catalina versions prior to 10.15.1, update to macOS Catalina 10.15.1 or apply Security Update 2019-001 or Security Update 2019-006 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** macOS Catalina versions prior to 10.15.1 **Description** A denial of service issue was addressed with improved validation. An attacker in a privileged position may be able to perform a denial of service attack. **Recommendations** For macOS Catalina versions prior to 10.15.1, update to macOS Catalina 10.15.1 or apply Security Update 2019-001 or Security Update 2019-006 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** IBM InfoSphere Information Server versions 11.3 through 11.7 **Description** The issue allows an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts due to cross-site request forgery. **Recommendations** For IBM InfoSphere Information Server versions 11.3 through 11.7, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IBM InfoSphere Information Server versions 11.3, 11.5, and 11.7 **Description** The issue allows for a XML External Entity Injection (XXE) attack when processing XML data, potentially enabling a remote attacker to expose sensitive information or consume memory resources. **Recommendations** For IBM InfoSphere Information Server versions 11.3, 11.5, and 11.7, update to a version that includes a fix for this issue to prevent XXE attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IBM InfoSphere Information Server versions 11.3, 11.5, and 11.7 **Description** The issue allows users to embed arbitrary JavaScript code in the Web UI, altering the intended functionality and potentially leading to credentials disclosure within a trusted session. **Recommendations** For versions 11.3, 11.5, and 11.7, update to a version that includes a fix for this issue to prevent cross-site scripting attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IBM InfoSphere Information Server versions 11.5 through 11.7 **Description** The issue allows a remote attacker to send specially-crafted SQL statements, potentially enabling them to view, add, modify, or delete information in the back-end database. **Recommendations** For versions 11.5 through 11.7, update to a version that includes a fix for this issue to prevent SQL injection attacks.

**Name of the Vulnerable Software and Affected Versions** IBM Tivoli Integrated Portal versions 2.2.0.0 through 2.2.0.15 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. **Recommendations** For versions 2.2.0.0 through 2.2.0.15, update to a version outside of this range to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: OpenText Document Sciences xPression version 4.5SP1 Patch 13 Description: The issue is related to SQL Injection in xDashboard. Recommendations: For version 4.5SP1 Patch 13, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** OpenText Documentum Webtop versions 6.8.0160.0073 **Description** The issue is related to an XML external entity (XXE) vulnerability in the web interface of OpenText Documentum Webtop. This vulnerability can be exploited by a remote attacker to read arbitrary files, cause a denial of service, or obtain user hashes on Windows systems. The exploitation involves crafted XML structures, such as a crafted DTD, in requests to specific API endpoints like `xda/com/documentum/ucf/server/transport/impl/GAIRConnector`, or through the import or check-in of crafted XML files in a MediaProfile file. **Recommendations** For OpenText Documentum Webtop version 6.8.0160.0073, consider disabling the `GAIRConnector` function until a patch is available to prevent exploitation through crafted XML structures. Restrict access to the MediaProfile file import and check-in features to minimize the risk of XXE attacks. Avoid using crafted DTDs in XML requests to prevent denial of service or arbitrary file reading. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenText Documentum Administrator version 7.2.0180.0055 **Description** The issue is related to incorrect restriction of XML external entities (XXE) in the OpenText Documentum Administrator. This can be exploited by a remote attacker to read arbitrary files, cause a denial of service, or obtain user hashes on Windows systems. The exploitation involves crafted XML structures, such as a DTD, in requests to specific API endpoints like `xda/com/documentum/ucf/server/transport/impl/GAIRConnector`, or through the import or check-in of crafted XML files in a MediaProfile file. **Recommendations** For OpenText Documentum Administrator version 7.2.0180.0055, consider disabling the import and check-in functionality for XML files in MediaProfile until a patch is available. Restrict access to the `xda/com/documentum/ucf/server/transport/impl/GAIRConnector` endpoint to minimize the risk of exploitation. Avoid using crafted DTDs or XML structures in requests to prevent potential attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Hitachi Device Manager versions prior to 8.5.2-01 Hitachi Replication Manager versions prior to 8.5.2-00 **Description** A cross-site scripting issue allows authenticated remote users to execute arbitrary JavaScript code. **Recommendations** For Hitachi Device Manager versions prior to 8.5.2-01, update to version 8.5.2-01 or later. For Hitachi Replication Manager versions prior to 8.5.2-00, update to version 8.5.2-00 or later.