Roberto Suggi Liverani

**Name of the Vulnerable Software and Affected Versions** NetScout nGeniusONE version 6.3.4 build 2298 **Description** The issue is related to a Stored Cross-Site scripting vulnerability. This allows for malicious scripts to be stored on the server and executed when a user accesses the affected page. **Recommendations** For NetScout nGeniusONE version 6.3.4 build 2298, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NETSCOUT nGeniusONE version 6.3.4 build 2298 **Description** The issue is a Reflected Cross-Site scripting (XSS) vulnerability that can be exploited by an authenticated user. **Recommendations** For NETSCOUT nGeniusONE version 6.3.4 build 2298, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NetScout nGeniusONE version 6.3.4 build 2298 **Description** The issue is related to a Stored Cross-Site scripting vulnerability. **Recommendations** For NetScout nGeniusONE version 6.3.4 build 2298, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NetScout nGeniusONE version 6.3.4 build 2298 **Description** The issue is a Stored Cross-Site scripting vulnerability. **Recommendations** For NetScout nGeniusONE version 6.3.4 build 2298, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NetScout nGeniusONE version 6.3.4 build 2298 **Description** The issue is a Reflected Cross-Site scripting vulnerability. **Recommendations** For NetScout nGeniusONE version 6.3.4 build 2298, consider disabling the affected feature or restricting access to the vulnerable component until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NetScout nGeniusONE version 6.3.4 build 2298 **Description** The issue is related to a Stored Cross-Site scripting vulnerability. This allows an attacker to inject malicious scripts into the application, which can then be executed by other users. **Recommendations** For NetScout nGeniusONE version 6.3.4 build 2298, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco DNA Center Software (affected versions not specified) **Description** The issue is related to weaknesses in the authorization procedure of the Cisco DNA Center application programming interface. It may allow a remote attacker to gain unauthorized access to protected information using a specially crafted API request. The vulnerability could enable an authenticated, remote attacker to read information from a restricted container, enumerate user information, or execute arbitrary commands in a restricted container as the root user. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco DNA Center Software (affected versions not specified) **Description** The issue is related to multiple vulnerabilities in the API of Cisco DNA Center Software. These vulnerabilities could allow an authenticated, remote attacker to read information from a restricted container, enumerate user information, or execute arbitrary commands in a restricted container as the root user. The vulnerability is also associated with deficiencies in the authorization procedure, which could allow an attacker to gain unauthorized access to protected information using a specially crafted API request. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco DNA Center Software (affected versions not specified) **Description** The issue is related to multiple vulnerabilities in the API of Cisco DNA Center Software. These vulnerabilities could allow an authenticated, remote attacker to read information from a restricted container, enumerate user information, or execute arbitrary commands in a restricted container as the root user. The vulnerability is associated with weaknesses in the authorization procedure, which can be exploited by a remote attacker using a specially crafted API request. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: ArcGIS Server Manager versions prior to 10.8.1 Description: A stored Cross Site Scripting (XXS) issue may allow a remote unauthenticated attacker to pass and store malicious strings in the ArcGIS Server Manager application. Recommendations: For versions prior to 10.8.1, update to a version above 10.8.1 to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Oracle E-Business Suite versions 12.1.3 and 12.2.3 through 12.2.10 Description: The issue is related to insufficient input validation in the Proxy User Delegation component of Oracle User Management. This allows a low-privileged attacker with network access via HTTP to compromise Oracle User Management, resulting in unauthorized read access to a subset of Oracle User Management accessible data. Recommendations: For versions 12.1.3 and 12.2.3 through 12.2.10, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the Proxy User Delegation component until a patch is available. Avoid using the vulnerable component via HTTP requests until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Suite versions 12.2.9 **Description** The issue is related to the Attachments / File Upload component of the Oracle Applications Framework product. It allows a low-privileged attacker with network access via HTTP to compromise the framework, requiring human interaction from a person other than the attacker. Successful attacks can result in unauthorized access to critical data, complete access to all accessible data, as well as unauthorized update, insert, or delete access to some accessible data. The vulnerability may significantly impact additional products. **Recommendations** For version 12.2.9, consider restricting access to the Attachments / File Upload component until a patch is available. As a temporary workaround, disabling the component may help minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Dell Wyse Management Suite versions prior to 1.4.1 **Description** The issue concerns a stored cross-site scripting vulnerability. A remote authenticated malicious user with low privileges could exploit this to store malicious payload in the device heartbeat request. When victim users access the submitted data through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable application. **Recommendations** For versions prior to 1.4.1, update to version 1.4.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the device heartbeat request to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Kemp Load Master versions prior to 7.0-18a **Description** A CSRF issue exists in administrative pages, allowing for unspecified vectors of attack. **Recommendations** For versions prior to 7.0-18a, update to version 7.0-18a or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Kemp Load Master versions 7.1-16 and earlier **Description** A Bash script injection issue exists due to a failure to sanitize input in the Web User Interface (WUI). **Recommendations** For versions 7.1-16 and earlier, update to a version later than 7.1-16 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Trend Micro Mobile Security (Enterprise) versions before 9.7 Patch 3 **Description** The issue allows remote attackers to execute arbitrary code on vulnerable installations. Multiple API endpoints are vulnerable to SQL Injection, including query installed applications, change ios setting, move group, eas agent check upgrade, notify devices to update, upload web app, update group, delete user, query event log, delete devices, notify devices to scan, add app category, export devices, search devices, get dep profile, remote wipe device, change device user, remote lock device, eas agent unregister, eas agent upload new devices, edit user, export eas devices, get moveto group list, locate device, get user list, move devices, invite devices, delete admin account, notify groups to scan, cancel command list, reinvite user, remove eas agent info, get device list brief by group, mdm register new connector, edit eas note, get device detail info, query user, add group, eas agent register, resend command list, get device location, broadcast group, get subgroup list, eas agent sync all devices, edit device, search user for report, notify groups to update, eas agent sync client info, broadcast devices, remote selective wipe device, show eas agent info, show eas devices, reset device passwd, search users for vpp, stop mirroring, remove command list, diagnose eas status, change user, eas agent command, invite devices, save eas agent setting, create db, get remote unlockstring, assign policy, delete group, search device invitations. Vulnerable parameters include application name, Device DeviceId, Id, SlinkId, AppFile, AdminName, Device DeviceGroupId, group id, Name, Device DeviceDeviceId, user name, LDAPAccount, CmdUUID, UserName, DeviceGroupId, id. **Recommendations** For Trend Micro Mobile Security (Enterprise) versions before 9.7 Patch 3, update to version 9.7 Patch 3 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoints until a patch is available. Avoid using vulnerable parameters in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Trend Micro Mobile Security (Enterprise) versions prior to 9.7 Patch 3 **Description** The issue allows remote attackers to execute arbitrary code on vulnerable installations due to unrestricted file uploads. This can be achieved through various file upload functions, including `upload img file`, `upload font file`, `upload wallpaper file`, and `upload app file`. **Recommendations** For versions prior to 9.7 Patch 3, update to version 9.7 Patch 3 or later to resolve the issue. As a temporary workaround, consider restricting or disabling the file upload functionality until a patch is applied. Specifically, restrict access to the `upload img file`, `upload font file`, `upload wallpaper file`, and `upload app file` functions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Trend Micro Threat Discovery Appliance version 2.6.1062r1 **Description** A command execution flaw exists in the admin sys time.cgi interface, specifically with the `timezone` parameter. **Recommendations** For version 2.6.1062r1, avoid using the `timezone` parameter in the admin sys time.cgi interface until a fix is available. As a temporary workaround, consider restricting access to the admin sys time.cgi interface to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Trend Micro Threat Discovery Appliance version 2.6.1062r1 **Description** The issue allows a remote, unauthenticated attacker to delete arbitrary files as root due to directory traversal when processing a `session id` cookie. This can be used to bypass authentication or cause a denial of service. The vulnerability exists because of incorrect restriction of the directory path name with limited access during the processing of the `session id` parameter from the cookie file. **Recommendations** For Trend Micro Threat Discovery Appliance version 2.6.1062r1, as a temporary workaround, consider restricting access to the `session id` cookie parameter until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ESRI ArcGIS for Server version 10.1 **Description** The issue allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, which can lead to cross-site scripting (XSS) attacks. **Recommendations** For ESRI ArcGIS for Server version 10.1, update to a version that includes a fix for this issue, as no specific workaround is provided in the available data.