Unam4

**Name of the Vulnerable Software and Affected Versions** Apache HertzBeat versions prior to 1.7.0 **Description** An XML injection Remote Code Execution (RCE) vulnerability exists in Apache HertzBeat due to parsing of HTTP sitemap XML responses. An attacker with an authenticated account and access can trigger the vulnerability by adding a monitor that parses XML and returns specially crafted content. **Recommendations** Upgrade to version 1.7.0.

Name of the Vulnerable Software and Affected Versions: DataEase versions prior to 2.10.11 Description: DataEase is an open source business intelligence and data visualization tool. The issue lies in parameters like `sslfactory` and `sslfactoryarg`, which have similar functionality to `socketfactory` and `socketfactoryarg`, but need to be triggered after establishing the connection. Other similar parameters include `sslhostnameverifier`, `sslpasswordcallback`, and `authenticationPluginClassName`. Recommendations: For versions prior to 2.10.11, update to version 2.10.11 to resolve the issue. As a temporary workaround, consider restricting the use of parameters like `sslfactory` and `sslfactoryarg` until the update is applied.

Name of the Vulnerable Software and Affected Versions: Apache HertzBeat (incubating) versions prior to 1.6.1 Description: This issue is related to an improper neutralization of special elements used in a command, also known as a 'Command Injection' vulnerability. The vulnerability can only be exploited by authorized attackers. Recommendations: For Apache HertzBeat (incubating) versions prior to 1.6.1, upgrade to version 1.6.1 to resolve the issue. As a temporary workaround, consider restricting access to sensitive commands or functions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** DataEase versions prior to 2.10.2 **Description** The issue allows attackers to forge JWT and take over services due to the JWT secret being hardcoded in the code. Additionally, the UID and OID are also hardcoded. This has been fixed in version 2.10.2. **Recommendations** For versions prior to 2.10.2, update to version 2.10.2 to resolve the issue. As a temporary workaround, consider restricting access to services that use the hardcoded JWT secret until the update is applied.

Name of the Vulnerable Software and Affected Versions: Nginx UI versions prior to 2.0.0-beta.36 Description: The issue is related to the configuration settings of the Nginx UI server, specifically the `/api/configs` directory, and is associated with weaknesses in the authorization procedure. This can be combined with directory traversal to read directories and file contents on the server. Recommendations: For versions prior to 2.0.0-beta.36, update to version 2.0.0-beta.36 to fix the issue. As a temporary workaround, consider restricting access to the `/api/configs` API endpoint until a patch is available.

Name of the Vulnerable Software and Affected Versions: Nginx UI versions 2.0.0-beta.35 and earlier Description: The issue is related to the Nginx UI's handling of JSON fields without proper verification, allowing an attacker to construct a value in the form of `../../` and write arbitrary files to the server. This may result in loss of permissions. The vulnerability can be exploited by a remote attacker and may lead to unauthorized file writes. Recommendations: For Nginx UI versions 2.0.0-beta.35 and earlier, update to version 2.0.0-beta.26 or later to fix the issue. As a temporary workaround, consider restricting access to the JSON handler to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** sofahessian versions prior to 3.5.5 **Description** The SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. However, there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on any third-party components. **Recommendations** To resolve the issue, upgrade to sofahessian version 3.5.5. For users unable to upgrade, maintain a blacklist in the directory `external/serialize.blacklist` as a temporary workaround.

**Name of the Vulnerable Software and Affected Versions** DataEase versions prior to 1.18.25 **Description** DataEase is an open source data visualization analysis tool. The PostgreSQL data source function allows customization of JDBC connection parameters and the PG server target. However, the PgConfiguration class in backend/src/main/java/io/dataease/provider/datasource/JdbcProvider.java does not filter any parameters and directly concatenates user input. This allows an attacker to add parameters to the JDBC URL and connect to a malicious PG server, triggering the PG JDBC deserialization vulnerability. The attacker can then execute system commands and obtain server privileges through the deserialization vulnerability. **Recommendations** For versions prior to 1.18.25, update to version 1.18.25 or later to fix the vulnerability. As a temporary workaround, consider restricting access to the PostgreSQL data source function to minimize the risk of exploitation. Avoid using customized JDBC connection parameters and PG server targets until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Apache OFBiz versions through 18.12.14 **Description** This issue affects Apache OFBiz, allowing unauthenticated endpoints to execute screen rendering code of screens if certain preconditions are met, such as when screen definitions do not explicitly check user permissions. The vulnerability is related to incorrect authorization and can lead to remote code execution. It is being actively exploited, and proof-of-concept exploits are available. Users are recommended to upgrade to version 18.12.15 to fix the issue. **Recommendations** Apache OFBiz versions through 18.12.14: Upgrade to version 18.12.15 to resolve the issue. As a temporary workaround, consider restricting access to unauthenticated endpoints to minimize the risk of exploitation.