Uceka

**Name of the Vulnerable Software and Affected Versions** Alcatel-Lucent Motive Home Device Manager (HDM) versions prior to 4.2 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities in the Management Console of Alcatel-Lucent Motive Home Device Manager (HDM). These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via various parameters, including the `deviceTypeID` parameter to "DeviceType/getDeviceType.do", the `policyActionClass` or `policyActionName` parameter to "PolicyAction/findPolicyActions.do", the `deviceID` parameter to "SingleDeviceMgmt/getDevice.do" or "device/editDevice.do", the `operation` parameter to "ajax.do" or "xmlHttp.do", and the `policyAction`, `policyClass`, or `policyName` parameter to "policy/findPolicies.do". **Recommendations** For versions prior to 4.2, update to version 4.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the Management Console and limiting the use of the affected parameters until the update is applied. Avoid using the vulnerable parameters in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Nokia Networks @vantage Commander (affected versions not specified) **Description** The issue allows remote attackers to inject arbitrary web script or HTML via various parameters to different API endpoints, including `/cftraces/filter/fl copy.jsp`, `/cftraces/filter/fl crea1.jsp`, `/cftraces/process/pr show process.jsp`, `/cftraces/session/se crea.jsp`, `/cftraces/session/se show.jsp`, `/cftraces/session/tr crea filter.jsp`, `/cftraces/session/tr create tagg para.jsp`, and `/home/certificate association.jsp`. The vulnerable parameters include `idFilter`, `nameFilter`, `flName`, `serchStatus`, `refreshTime`, `serchNode`, `MaxActivationTime`, `NumberOfBytes`, `NumberOfTracefiles`, `SessionName`, `serchSessionkind`, `serchSessionDescription`, `serchApplication`, `serchApplicationkind`, `columKeyUnique`, `columParameter`, `componentName`, `criteria1`, `criteria2`, `criteria3`, `description`, `filter`, `id`, `pathName`, `tableName`, `component`, and `userid`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Huawei SEQ Analyst versions prior to V200R002C03LG0001CP0022 **Description** The issue allows remote authenticated users to read arbitrary files. This is achieved via the `req` parameter, which is vulnerable to XML external entity (XXE) attacks. **Recommendations** For versions prior to V200R002C03LG0001CP0022, update to V200R002C03LG0001CP0022 or later to resolve the issue. As a temporary workaround, consider restricting access to the `req` parameter to minimize the risk of exploitation.