Tomasz Stachowicz

**Name of the Vulnerable Software and Affected Versions** IBM Tivoli Application Dependency Discovery Manager versions 7.3.0.0 through 7.3.0.11 **Description** This issue allows authenticated users to embed arbitrary JavaScript code in the Web UI, potentially altering the intended functionality and leading to credentials disclosure within a trusted session. The vulnerability is related to stored cross-site scripting. **Recommendations** For versions 7.3.0.0 through 7.3.0.11, update to a version that includes a fix for this issue to prevent stored cross-site scripting attacks. As a temporary workaround, consider restricting access to the Web UI to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** IBM WebSphere Application Server versions 8.5 through 9.0 **Description** This issue allows a privileged user to embed arbitrary JavaScript code in the Web UI, potentially altering the intended functionality and leading to credentials disclosure within a trusted session. The vulnerability enables an attacker to inject malicious scripts. **Recommendations** For IBM WebSphere Application Server versions 8.5 through 9.0, upgrade the affected component immediately to mitigate the risk. As a temporary workaround, consider restricting access to the Web UI to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** IBM WebSphere Application Server versions 8.5 through 9.0 **Description** The issue allows a privileged user to embed arbitrary JavaScript code in the Web UI, potentially altering the intended functionality and leading to credentials disclosure within a trusted session. This is a result of a stored cross-site scripting issue. **Recommendations** For IBM WebSphere Application Server versions 8.5 through 9.0, consider restricting access to the Web UI to minimize the risk of exploitation until a patch is available. As a temporary workaround, disabling the embedding of arbitrary JavaScript code in the Web UI can help mitigate the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Palo Alto Networks Prisma Cloud Compute (affected versions not specified) Description: A cross-site scripting (XSS) issue allows a malicious administrator with add/edit permissions for identity providers to store a JavaScript payload using the web interface. This enables the malicious administrator to perform actions in the context of another user's browser when accessed by that other user. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Pega Platform versions 6.x through 8.8.4 **Description** The issue is related to an XXE problem with PDF Generation. **Recommendations** For versions 6.x through 8.8.4, update to a version that includes a fix for the XXE issue with PDF Generation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Pega Platform versions 7.1.7 through 23.1.1 **Description** The issue is related to an XSS problem when editing or rendering user HTML content. **Recommendations** For Pega Platform versions 7.1.7 through 23.1.1, update to a version that includes a fix for the XSS issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Pega Platform versions 8.5.4 through 8.8.3 **Description** The issue is an XSS problem that can be exploited by an unauthenticated user, utilizing the `redirect` parameter. **Recommendations** For versions 8.5.4 through 8.8.3, consider restricting access to the `redirect` parameter to minimize the risk of exploitation until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Pega Platform versions 8.2.1 to Infinity 23.1.0 **Description** The issue is related to generated PDFs, which could expose file contents. **Recommendations** For Pega Platform versions 8.2.1 to Infinity 23.1.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IBM WebSphere Application Server versions 8.5 through 9.0 **Description** The issue is related to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this to expose sensitive information or consume memory resources. **Recommendations** For IBM WebSphere Application Server versions 8.5 through 9.0, consider disabling XML processing or restricting access to sensitive data until a patch is available. As a temporary workaround, restrict the use of XML external entities to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Dell EMC XtremIO versions prior to 6.3.3-8 **Description** The issue is related to a Cross-Site Request Forgery vulnerability in XMS. A non-privileged attacker could potentially exploit this, leading to a privileged victim application user being tricked into sending state-changing requests to the vulnerable application, causing unintended server operations. **Recommendations** For versions prior to 6.3.3-8, update to version 6.3.3-8 or later to resolve the issue. As a temporary workaround, consider implementing additional validation checks on requests to prevent unintended server operations. Restrict access to the XMS interface to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Oracle Fusion Middleware BI Publisher versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 **Description** The issue is related to insufficient input validation in the BI Publisher Security component of Oracle Fusion Middleware. It allows an unauthenticated attacker with network access via HTTP to compromise BI Publisher, resulting in unauthorized access to critical data or complete access to all BI Publisher accessible data, as well as unauthorized update, insert, or delete access to some of BI Publisher accessible data. Successful attacks require human interaction from a person other than the attacker. **Recommendations** For versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, and 12.2.1.4.0, update to a version that includes the fix for this issue to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle BI Publisher versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 **Description** The issue is related to insufficient input validation in the Mobile Service subcomponent of Oracle BI Publisher, part of Oracle Fusion Middleware. This allows an unauthenticated attacker with network access via HTTP to compromise Oracle BI Publisher, potentially impacting additional products. Successful attacks can result in unauthorized update, insert, or delete access to some Oracle BI Publisher accessible data, as well as unauthorized read access to a subset of Oracle BI Publisher accessible data. **Recommendations** For versions 11.1.1.9.0, 12.2.1.3.0, and 12.2.1.4.0, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle BI Publisher versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 **Description** The issue is related to insufficient input validation in the Mobile Service component of Oracle BI Publisher, part of Oracle Fusion Middleware. It allows an unauthenticated attacker with network access via HTTP to compromise Oracle BI Publisher, requiring human interaction from a person other than the attacker. Successful attacks can result in unauthorized access to critical data, complete access to all Oracle BI Publisher accessible data, as well as unauthorized update, insert, or delete access to some of Oracle BI Publisher accessible data. **Recommendations** For versions 11.1.1.9.0, 12.2.1.3.0, and 12.2.1.4.0, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.