Pawel Haldrzynski

**Name of the Vulnerable Software and Affected Versions** Cisco SD-WAN vManage Software (affected versions not specified) **Description** The issue is related to insufficient input validation by the web-based management interface, allowing an authenticated, remote attacker to conduct Cypher query language injection attacks. This could be achieved by sending crafted HTTP requests to the interface of an affected system, potentially resulting in the attacker obtaining sensitive information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Newscoop versions 4.x through 4.1.0 **Description** The issue involves multiple cross-site scripting (XSS) vulnerabilities that allow remote attackers to inject arbitrary web script or HTML. This can be achieved through vectors involving the `language` parameter to "application/modules/admin/controllers/LanguagesController.php" or the `user` parameter to "application/modules/admin/controllers/UserController.php". **Recommendations** For Newscoop versions 4.x through 4.1.0, consider disabling access to the `LanguagesController.php` and `UserController.php` controllers until a patch is available. Restrict input for the `language` and `user` parameters in these controllers to minimize the risk of exploitation.