Rob Antonucci

**Name of the Vulnerable Software and Affected Versions** Big Switch Big Monitoring Fabric versions 6.2 through 6.2.4 Big Switch Big Monitoring Fabric versions 6.3 through 6.3.9 Big Switch Big Monitoring Fabric versions 7.0 through 7.0.3 Big Switch Big Monitoring Fabric versions 7.1 through 7.1.3 Big Cloud Fabric versions 4.5 through 4.5.5 Big Cloud Fabric versions 4.7 through 4.7.7 Big Cloud Fabric versions 5.0 through 5.0.1 Big Cloud Fabric versions 5.1 through 5.1.4 Multi-Cloud Director versions through 1.1.0 **Description** A read-only user can access sensitive information via an API endpoint that reveals session cookies of authenticated administrators, leading to privilege escalation. **Recommendations** For Big Switch Big Monitoring Fabric versions 6.2 through 6.2.4, update to a version outside of this range to mitigate the risk. For Big Switch Big Monitoring Fabric versions 6.3 through 6.3.9, update to a version outside of this range to mitigate the risk. For Big Switch Big Monitoring Fabric versions 7.0 through 7.0.3, update to a version outside of this range to mitigate the risk. For Big Switch Big Monitoring Fabric versions 7.1 through 7.1.3, update to a version outside of this range to mitigate the risk. For Big Cloud Fabric versions 4.5 through 4.5.5, update to a version outside of this range to mitigate the risk. For Big Cloud Fabric versions 4.7 through 4.7.7, update to a version outside of this range to mitigate the risk. For Big Cloud Fabric versions 5.0 through 5.0.1, update to a version outside of this range to mitigate the risk. For Big Cloud Fabric versions 5.1 through 5.1.4, update to a version outside of this range to mitigate the risk. For Multi-Cloud Director versions through 1.1.0, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the API endpoint that reveals session cookies of authenticated administrators until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Big Switch Big Monitoring Fabric versions 6.2 through 6.2.4 Big Switch Big Monitoring Fabric versions 6.3 through 6.3.9 Big Switch Big Monitoring Fabric versions 7.0 through 7.0.3 Big Switch Big Monitoring Fabric versions 7.1 through 7.1.3 Big Cloud Fabric versions 4.5 through 4.5.5 Big Cloud Fabric versions 4.7 through 4.7.7 Big Cloud Fabric versions 5.0 through 5.0.1 Big Cloud Fabric versions 5.1 through 5.1.4 Multi-Cloud Director versions through 1.1.0 **Description** An issue allows an unauthenticated attacker to inject stored arbitrary JavaScript, which can be executed in the content viewed by authenticated administrators, resulting in a cross-site scripting (XSS) attack. **Recommendations** For Big Switch Big Monitoring Fabric versions 6.2 through 6.2.4, update to a version outside of this range to mitigate the risk. For Big Switch Big Monitoring Fabric versions 6.3 through 6.3.9, update to a version outside of this range to mitigate the risk. For Big Switch Big Monitoring Fabric versions 7.0 through 7.0.3, update to a version outside of this range to mitigate the risk. For Big Switch Big Monitoring Fabric versions 7.1 through 7.1.3, update to a version outside of this range to mitigate the risk. For Big Cloud Fabric versions 4.5 through 4.5.5, update to a version outside of this range to mitigate the risk. For Big Cloud Fabric versions 4.7 through 4.7.7, update to a version outside of this range to mitigate the risk. For Big Cloud Fabric versions 5.0 through 5.0.1, update to a version outside of this range to mitigate the risk. For Big Cloud Fabric versions 5.1 through 5.1.4, update to a version outside of this range to mitigate the risk. For Multi-Cloud Director versions through 1.1.0, update to a version outside of this range to mitigate the risk.