Rafal Lykowski

**Name of the Vulnerable Software and Affected Versions** Cisco Identity Services Engine (ISE) (affected versions not specified) **Description** A vulnerability in specific CLI commands could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root. This is due to insufficient validation of user-supplied input. An attacker could exploit this by submitting a crafted CLI command. A successful exploit could allow the attacker to elevate privileges to root. The attacker must have valid Administrator privileges on an affected device. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: VMware Cloud Director Availability (affected versions not specified) Description: The issue is related to an HTML injection vulnerability. A malicious actor with network access to VMware Cloud Director Availability can craft malicious HTML tags to execute within replication tasks, potentially allowing for cross-site scripting (XSS) attacks by injecting malicious HTML tags. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: VMware Cloud Director Object Storage Extension (affected versions not specified) Description: The issue concerns an Insertion of Sensitive Information, where a malicious actor with adjacent access to web/proxy server logging may obtain sensitive information from logged URLs. This could allow a remote attacker to gain unauthorized access to protected information due to insufficient protection of service data. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Liferay Digital Experience Platform version 7.3.10 SP3 **Description** A Cross-site scripting (XSS) issue exists in the file upload functionality of the Document and Media module, allowing remote attackers to inject arbitrary JS script or HTML into the description field of uploaded svg files. **Recommendations** For Liferay Digital Experience Platform version 7.3.10 SP3, consider restricting access to the file upload functionality in the Document and Media module until a fix is available, and avoid using the description field for uploaded svg files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Liferay Digital Experience Platform version 7.3.10 SP3 **Description** A Cross-site scripting (XSS) issue in the Blog module's add new topic functionality allows remote attackers to inject arbitrary JS script or HTML into the name field of newly created topics. **Recommendations** For Liferay Digital Experience Platform version 7.3.10 SP3, consider restricting access to the Blog module's add new topic functionality until a fix is available. As a temporary workaround, restrict the ability to inject arbitrary JS script or HTML into the name field of newly created topics.

**Name of the Vulnerable Software and Affected Versions** eLabFTW versions prior to 4.0.0 **Description** This issue affects an open source electronic lab notebook for research labs, allowing an attacker to make GET requests on behalf of the server. The attack is "blind" because the attacker cannot see the result of the request. **Recommendations** For versions prior to 4.0.0, update to version 4.0.0 to resolve the issue.