Trancap

**Name of the Vulnerable Software and Affected Versions** Compuware iStrobe Web version 20.13 **Description** The software contains a pre-authentication remote code execution issue. Unauthenticated attackers can upload malicious JSP files through a path traversal flaw in the file upload form. Exploitation involves sending POST requests to the uploaded JSP endpoint, utilizing the `fileName` parameter to upload a web shell and execute arbitrary commands. **Recommendations** Apply updates to address the path traversal issue in the file upload form. Restrict access to the file upload functionality. Monitor network traffic for suspicious POST requests targeting the JSP endpoint.

**Name of the Vulnerable Software and Affected Versions** ezplatform-graphql versions prior to 1.0.13 ezplatform-graphql versions prior to 2.3.12 **Description** The issue concerns the exposure of password hashes of users who have created or modified content, typically administrators and editors, through unauthenticated GraphQL queries for user accounts. This is due to insecure storage of sensitive information. **Recommendations** For versions prior to 1.0.13, update to version 1.0.13 to resolve the issue. For versions prior to 2.3.12, update to version 2.3.12 to resolve the issue. As a temporary workaround for users unable to upgrade, consider removing the `passwordHash` entry from `src/bundle/Resources/config/graphql/User.types.yaml` in the GraphQL package, and other properties like `hash type`, `email`, `login` if preferred.