Spyridon Chatzimichail

**Name of the Vulnerable Software and Affected Versions** Oracle Communications Order and Service Management versions 7.4.0 through 7.4.1 **Description** The issue is related to insufficient input validation in the User Management component of Oracle Communications Order and Service Management, allowing a remote attacker with low privileges and network access via HTTP to compromise the system. Successful attacks can result in unauthorized read access to a subset of accessible data. **Recommendations** For versions 7.4.0 and 7.4.1, update to a version that includes the fix for this issue to prevent unauthorized access. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Hyperion Financial Management version 11.1.2.4 **Description** The issue exists due to insufficient input validation in the Task Automation component of Oracle Hyperion Financial Management. This allows a remote attacker to read data, modify data, cause a partial denial of service, or gain privileged access via HTTP requests. Successful attacks require human interaction from a person other than the attacker and can result in unauthorized access to some of the application's data. **Recommendations** For version 11.1.2.4, consider restricting access to the Task Automation component until a patch is available. As a temporary workaround, limit the use of HTTP requests to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Hyperion Planning version 11.1.2.4 **Description** The issue is related to insufficient input validation in the Application Development Framework component. It allows a high-privileged attacker with network access via HTTP to compromise Hyperion Planning, but successful attacks require human interaction from a person other than the attacker. This can result in unauthorized creation, deletion, or modification access to critical data or all Hyperion Planning accessible data. **Recommendations** For version 11.1.2.4, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Moodle versions prior to 3.9.1 Moodle versions prior to 3.8.4 Moodle versions prior to 3.7.7 **Description** The issue is related to a reflected XSS risk in the admin task log filter. This suggests a potential for malicious script execution due to insufficient sanitizing of user input. **Recommendations** For versions prior to 3.9.1, update to version 3.9.1 or later. For versions prior to 3.8.4, update to version 3.8.4 or later. For versions prior to 3.7.7, update to version 3.7.7 or later.

Name of the Vulnerable Software and Affected Versions: Oracle Commerce Platform versions prior to 11.3.1 Description: The issue is related to insufficient input validation in the Dynamo Application Framework component of the Oracle Commerce Platform. It allows an unauthenticated attacker with network access via HTTP to compromise the platform. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products. The exploitation can result in unauthorized update, insert, or delete access to some of the Oracle Commerce Platform's accessible data. Recommendations: For versions prior to 11.3.1, update to version 11.3.1 or later to resolve the issue. At the moment, there is no information about additional mitigation measures for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Oracle Commerce Platform versions prior to 11.3.1 Oracle Commerce Platform version 11.1 Oracle Commerce Platform version 11.2 Description: The issue is related to insufficient input validation in the Dynamo Application Framework component of the Oracle Commerce Platform. This allows a remote attacker with high privileges and network access via HTTP to compromise the platform. Successful attacks require human interaction from a person other than the attacker and can result in unauthorized update, insert, or delete access to some of the platform's accessible data, as well as unauthorized read access to a subset of the platform's accessible data. Recommendations: For Oracle Commerce Platform versions prior to 11.3.1, update to version 11.3.1 or later to resolve the issue. For Oracle Commerce Platform version 11.1, update to version 11.3.1 or later to resolve the issue. For Oracle Commerce Platform version 11.2, update to version 11.3.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Oracle MySQL Server versions 8.0.20 and prior **Description** The issue is related to inadequate access control in the Server: Options component of Oracle MySQL Server. It allows a highly privileged attacker with network access via multiple protocols to compromise the MySQL Server. Successful attacks can result in the unauthorized ability to cause a hang or frequently repeatable crash (complete Denial of Service) of the MySQL Server. **Recommendations** For versions 8.0.20 and prior, update to a version later than 8.0.20 to resolve the issue. At the moment, there is no information about additional mitigation measures for this specific vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle MySQL Server versions 8.0.20 and prior **Description** The issue is related to the InnoDB component of Oracle MySQL Server and is associated with inadequate access control. It allows a high-privileged attacker with network access via multiple protocols to compromise the MySQL Server. Successful attacks can result in unauthorized update, insert, or delete access to some of the MySQL Server's accessible data. The vulnerability can also cause a hang or frequently repeatable crash of the MySQL Server. **Recommendations** For versions 8.0.20 and prior, update to a version later than 8.0.20 to resolve the issue. As a temporary workaround, consider restricting access to the InnoDB component to minimize the risk of exploitation. Restrict network access to the MySQL Server to reduce the attack surface.

Name of the Vulnerable Software and Affected Versions: IBM MobileFirst Platform Foundation versions 6.3 through 8.0 Description: The issue allows users to embed arbitrary JavaScript code in the Web UI, altering the intended functionality and potentially leading to credentials disclosure within a trusted session due to cross-site scripting. Recommendations: For versions 6.3 through 8.0, update to a version that includes the fix for this issue to prevent cross-site scripting attacks.

**Name of the Vulnerable Software and Affected Versions** IBM Tealeaf Customer Experience versions 8.0 through 9.0.2 **Description** The issue allows remote attackers to bypass authentication via unspecified vectors in the search and replay servers. **Recommendations** For versions 8.0 through 9.0.2, update to a version that contains a fix for this issue to prevent authentication bypass.

**Name of the Vulnerable Software and Affected Versions** OpenJPEG version 2.1.1 **Description** A buffer overflow in the jpeg2000 image file format parser as implemented in the OpenJpeg library causes arbitrary code execution when parsing a crafted image. A specially crafted jpeg2000 file can cause an out of bound heap write resulting in heap corruption leading to arbitrary code execution. The attack requires the target user to open a malicious jpeg2000 file. The jpeg2000 image file format is mostly used for embedding images inside PDF documents, and the OpenJpeg library is used by a number of popular PDF renderers, making PDF documents a likely attack vector. **Recommendations** For OpenJPEG version 2.1.1, consider avoiding the use of the jpeg2000 image file format until a patch is available, and restrict access to PDF documents that may contain malicious jpeg2000 files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** IBM Tealeaf Customer Experience versions prior to 8.7.1.8818 IBM Tealeaf Customer Experience versions prior to 8.8.0.9026 IBM Tealeaf Customer Experience version 9.0.0 IBM Tealeaf Customer Experience version 9.0.0A IBM Tealeaf Customer Experience versions prior to 9.0.1.1083 IBM Tealeaf Customer Experience versions prior to 9.0.1.5073 IBM Tealeaf Customer Experience versions prior to 9.0.2.1095 IBM Tealeaf Customer Experience versions prior to 9.0.2.5144 **Description** A directory traversal issue in the replay server of IBM Tealeaf Customer Experience allows remote attackers to read arbitrary files. The attack vector is not specified. **Recommendations** For versions prior to 8.7.1.8818, update to version 8.7.1.8818 or later. For versions prior to 8.8.0.9026, update to version 8.8.0.9026 or later. For version 9.0.0, update to a later version. For version 9.0.0A, update to a later version. For versions prior to 9.0.1.1083, update to version 9.0.1.1083 or later. For versions prior to 9.0.1.5073, update to version 9.0.1.5073 or later. For versions prior to 9.0.2.1095, update to version 9.0.2.1095 or later. For versions prior to 9.0.2.5144, update to version 9.0.2.5144 or later.

**Name of the Vulnerable Software and Affected Versions** IBM Tealeaf Customer Experience versions prior to 8.7.1.8818 IBM Tealeaf Customer Experience versions 8.8 prior to 8.8.0.9026 IBM Tealeaf Customer Experience version 9.0.0 IBM Tealeaf Customer Experience version 9.0.0A IBM Tealeaf Customer Experience versions 9.0.1 prior to 9.0.1.1083 IBM Tealeaf Customer Experience versions 9.0.1A prior to 9.0.1.5073 IBM Tealeaf Customer Experience versions 9.0.2 prior to 9.0.2.1095 IBM Tealeaf Customer Experience versions 9.0.2A prior to 9.0.2.5144 **Description** The issue allows local users to discover credentials by leveraging privileges during an unspecified connection type. **Recommendations** For versions prior to 8.7.1.8818, update to version 8.7.1.8818 or later. For versions 8.8 prior to 8.8.0.9026, update to version 8.8.0.9026 or later. For version 9.0.0, update to a newer version. For version 9.0.0A, update to a newer version. For versions 9.0.1 prior to 9.0.1.1083, update to version 9.0.1.1083 or later. For versions 9.0.1A prior to 9.0.1.5073, update to version 9.0.1.5073 or later. For versions 9.0.2 prior to 9.0.2.1095, update to version 9.0.2.1095 or later. For versions 9.0.2A prior to 9.0.2.5144, update to version 9.0.2.5144 or later.

**Name of the Vulnerable Software and Affected Versions** IBM Tealeaf Customer Experience versions prior to 8.7.1.8814 IBM Tealeaf Customer Experience versions prior to 8.8.0.9026 IBM Tealeaf Customer Experience version 9.0.0 IBM Tealeaf Customer Experience version 9.0.0A IBM Tealeaf Customer Experience versions prior to 9.0.1.1083 IBM Tealeaf Customer Experience versions prior to 9.0.1.5073 IBM Tealeaf Customer Experience versions prior to 9.0.2.1095 IBM Tealeaf Customer Experience versions prior to 9.0.2.5144 **Description** The issue allows remote attackers to read arbitrary charts by specifying an internal chart name. **Recommendations** For versions prior to 8.7.1.8814, update to version 8.7.1.8814 or later. For versions prior to 8.8.0.9026, update to version 8.8.0.9026 or later. For version 9.0.0, update to a later version. For version 9.0.0A, update to a later version. For versions prior to 9.0.1.1083, update to version 9.0.1.1083 or later. For versions prior to 9.0.1.5073, update to version 9.0.1.5073 or later. For versions prior to 9.0.2.1095, update to version 9.0.2.1095 or later. For versions prior to 9.0.2.5144, update to version 9.0.2.5144 or later.