Tobias Clarke

**Name of the Vulnerable Software and Affected Versions** Cisco Emergency Responder (affected versions not specified) **Description** A vulnerability in the web UI of Cisco Emergency Responder could allow an authenticated, remote attacker to conduct a directory traversal attack. This is due to insufficient protections for the web UI, allowing an attacker to send crafted requests and potentially perform arbitrary actions on an affected device. A successful exploit could allow the attacker to access sensitive files, such as password or log files, or upload and delete existing files from the system, all with the privilege level of the affected user. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Emergency Responder (affected versions not specified) **Description** A vulnerability in the web UI of Cisco Emergency Responder could allow an unauthenticated, remote attacker to conduct a CSRF attack. This is due to insufficient protections for the web UI of an affected system. An attacker could exploit this vulnerability by persuading a user to click a crafted link, allowing the attacker to perform arbitrary actions with the privilege level of the affected user, such as deleting users from the device. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) versions not specified **Description** The issue is related to a path traversal flaw in the web-based interface of the system, which could allow a remote attacker to conduct cross-site scripting (XSS) attacks against authenticated users. This is due to the interface not properly validating user-supplied input. An attacker could exploit this by persuading an authenticated user to click a crafted link, potentially allowing the execution of arbitrary script code or access to sensitive browser-based information. **Recommendations** For Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), as a temporary workaround, consider disabling the web interface until a patch is available. Plan a swift upgrade to a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Oracle Database Server versions 19.3 through 19.24 Oracle Database Server versions 21.3 through 21.15 Oracle Database Server versions 23.4 through 23.5 **Description** The issue is related to errors in resource release in the XML Database component of Oracle Database Server. It can be exploited by a remote attacker to cause a denial of service by sending HTTP packets. The vulnerability can be exploited with low privileges and requires human interaction from someone other than the attacker. Successful attacks can result in unauthorized ability to cause a partial denial of service of the XML Database. **Recommendations** For Oracle Database Server versions 19.3 through 19.24, update to a version outside of this range to resolve the issue. For Oracle Database Server versions 21.3 through 21.15, update to a version outside of this range to resolve the issue. For Oracle Database Server versions 23.4 through 23.5, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting access to the XML Database component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** IBM Tivoli Workload Scheduler versions 9.4 through 10.1 **Description** The issue is related to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this to expose sensitive information or consume memory resources. **Recommendations** For IBM Tivoli Workload Scheduler versions 9.4 through 10.1, consider disabling XML data processing until a patch is available. Restrict access to sensitive information to minimize the risk of exploitation. Avoid using vulnerable XML parsing functions until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.