Tom

**Name of the Vulnerable Software and Affected Versions** Enfold versions through 5.6.9 **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting (XSS). This allows for Reflected XSS. **Recommendations** For versions through 5.6.9, update to a version later than 5.6.9 to resolve the issue. As a temporary workaround, consider restricting user input to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Oracle Identity Manager version 12.2.1.3.0 **Description** The issue is related to the Identity Manager product of Oracle Fusion Middleware, specifically the OIM - LDAP user and role Synch component. It allows an unauthenticated attacker with network access via HTTP to compromise Identity Manager, resulting in unauthorized access to critical data or complete access to all Identity Manager accessible data. The vulnerability is easily exploitable and can be used to disclose protected information remotely using the HTTP protocol. **Recommendations** For version 12.2.1.3.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Z-BlogPHP version 1.5.1 **Description** The issue allows for CSRF via "zb users/plugin/AppCentre/app del.php", which can be exploited to delete files and directories. **Recommendations** For Z-BlogPHP version 1.5.1, consider restricting access to the "app del.php" file in the "zb users/plugin/AppCentre/" directory to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** F5 BIG-IP LTM, AFM, Analytics, APM, ASM, Link Controller, and PEM versions 11.3.0 through 11.5.3 before HF2 and 11.6.0 before 11.6.0 HF6 F5 BIG-IP AAM versions 11.4.0 through 11.5.3 before HF2 and 11.6.0 before 11.6.0 HF6 F5 BIG-IP Edge Gateway, WebAccelerator, and WOM version 11.3.0 F5 BIG-IP GTM versions 11.3.0 through 11.6.0 before HF6 F5 BIG-IP PSM versions 11.3.0 through 11.4.1 F5 Enterprise Manager versions 3.1.0 through 3.1.1 F5 BIG-IQ Cloud and Security versions 4.0.0 through 4.5.0 F5 BIG-IQ Device versions 4.2.0 through 4.5.0 F5 BIG-IQ ADC version 4.5.0 **Description** The issue allows remote authenticated users with the "Resource Administrator" role to gain privileges via an iCall script or handler in a SOAP request to "iControl/iControlPortal.cgi". **Recommendations** For F5 BIG-IP LTM, AFM, Analytics, APM, ASM, Link Controller, and PEM versions 11.3.0 through 11.5.3 before HF2 and 11.6.0 before 11.6.0 HF6, update to a version with the fix. For F5 BIG-IP AAM versions 11.4.0 through 11.5.3 before HF2 and 11.6.0 before 11.6.0 HF6, update to a version with the fix. For F5 BIG-IP Edge Gateway, WebAccelerator, and WOM version 11.3.0, update to a version with the fix. For F5 BIG-IP GTM versions 11.3.0 through 11.6.0 before HF6, update to a version with the fix. For F5 BIG-IP PSM versions 11.3.0 through 11.4.1, update to a version with the fix. For F5 Enterprise Manager versions 3.1.0 through 3.1.1, update to a version with the fix. For F5 BIG-IQ Cloud and Security versions 4.0.0 through 4.5.0, update to a version with the fix. For F5 BIG-IQ Device versions 4.2.0 through 4.5.0, update to a version with the fix. For F5 BIG-IQ ADC version 4.5.0, update to a version with the fix.

**Name of the Vulnerable Software and Affected Versions** Mahara versions prior to 1.5.12 Mahara versions 1.6.x prior to 1.6.7 Mahara versions 1.7.x prior to 1.7.3 **Description** The issue allows remote authenticated users to read arbitrary artefacts. This can be achieved via the `artefact id` in an upload action when creating a journal or the `instconf artefactid selected[ID]` parameter in an upload action when editing a block. **Recommendations** For Mahara versions prior to 1.5.12, update to version 1.5.12 or later. For Mahara versions 1.6.x prior to 1.6.7, update to version 1.6.7 or later. For Mahara versions 1.7.x prior to 1.7.3, update to version 1.7.3 or later.

**Name of the Vulnerable Software and Affected Versions** Mahara versions prior to 1.5.12 Mahara versions 1.6.x prior to 1.6.7 Mahara versions 1.7.x prior to 1.7.3 **Description** The issue allows remote authenticated users to modify arbitrary blocks via the block id in an edit request, due to improper access prevention to blocks. **Recommendations** For Mahara versions prior to 1.5.12, update to version 1.5.12 or later. For Mahara versions 1.6.x prior to 1.6.7, update to version 1.6.7 or later. For Mahara versions 1.7.x prior to 1.7.3, update to version 1.7.3 or later.