Ved Prabhu

**Name of the Vulnerable Software and Affected Versions** Oracle APEX Sample Applications versions 23.2.0 through 23.2.1 Oracle APEX Sample Applications versions 24.1.0 through 24.2.1 **Description** A flaw exists within the Oracle APEX Sample Applications product, specifically the Brookstrut Sample App component. This issue allows a low-privileged attacker with network access via HTTP to compromise the application. Exploitation requires interaction from a user other than the attacker. While the issue is present in Oracle APEX Sample Applications, attacks may impact other products. Successful exploitation can lead to unauthorized data modification, insertion, deletion, and read access. **Recommendations** Update Oracle APEX Sample Applications to a version later than 24.2.1. Update Oracle APEX Sample Applications to a version later than 23.2.1. Update Oracle APEX Sample Applications to a version later than 24.1.0. Update Oracle APEX Sample Applications to a version later than 23.2.0.

**Name of the Vulnerable Software and Affected Versions** Oracle MySQL versions 8.0.0 through 8.0.42 Oracle MySQL versions 8.4.0 through 8.4.5 Oracle MySQL versions 9.0.0 through 9.3.0 **Description** This issue affects the InnoDB component of Oracle MySQL Server. Successful exploitation can lead to a denial-of-service (DOS) condition, causing the server to hang or crash repeatedly. The vulnerability is easily exploitable and requires network access with high privileges. **Recommendations** Oracle MySQL versions prior to 8.0.43 Oracle MySQL versions prior to 8.4.6 Oracle MySQL versions prior to 9.3.1

**Name of the Vulnerable Software and Affected Versions** Oracle Application Express Team Calendar Plugin versions 18.2 through 22.1 **Description** The issue is related to insufficient input validation in the Application Express Team Calendar Plugin component of Oracle Application Express. This easily exploitable flaw allows a low-privileged attacker with network access via HTTP to compromise the plugin. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products. The exploitation of this issue can result in the takeover of the Application Express Team Calendar Plugin. **Recommendations** For versions 18.2 through 22.1, update to a version that includes the fix for this issue to prevent potential takeover of the Application Express Team Calendar Plugin. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Application Express Customers Plugin versions 18.2 through 22.2 **Description** The issue exists due to insufficient input validation in the Application Express Customers Plugin component of Oracle Application Express. This allows a remote attacker to modify, add, or delete data using the HTTP protocol. Successful attacks require human interaction and may significantly impact additional products. The vulnerability can result in the takeover of the Application Express Customers Plugin. **Recommendations** For versions 18.2 through 22.2, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Webex App for Web (affected versions not specified) **Description** The issue is related to the file upload functionality of the Cisco Webex App for Web, where insufficient validation of user-supplied input allows an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. An attacker could exploit this by sending an arbitrary file to a user and persuading that user to browse to a specific URL, potentially allowing the execution of arbitrary script code in the context of the affected interface or access to sensitive, browser-based information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Application Express Data Reporter versions prior to 21.1.0.00.04 **Description** The issue is related to insufficient input validation in the Oracle Application Express Data Reporter component of Oracle Database Server. This easily exploitable vulnerability allows a low-privileged attacker with a valid user account and network access via HTTP to compromise Oracle Application Express Data Reporter. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products. The vulnerability can result in unauthorized update, insert, or delete access to some of Oracle Application Express Data Reporter's accessible data, as well as unauthorized read access to a subset of Oracle Application Express Data Reporter's accessible data. **Recommendations** For versions prior to 21.1.0.00.04, update to version 21.1.0.00.04 or later to resolve the issue. As a temporary workaround, consider restricting access to the Oracle Application Express Data Reporter component to minimize the risk of exploitation. Additionally, ensure that all inputs are thoroughly validated to prevent unauthorized access.

Name of the Vulnerable Software and Affected Versions: Oracle Database Server version prior to 20.2 Description: The issue is related to the Oracle Application Express Survey Builder component. It allows a low-privileged attacker with a valid user account and network access via HTTP to compromise the component. Successful attacks require human interaction and can significantly impact additional products, resulting in unauthorized access to data. The vulnerability may allow an attacker to update, insert, or delete data, as well as gain read access to a subset of data. Recommendations: For versions prior to 20.2, update to version 20.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the Oracle Application Express Survey Builder component to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Oracle Database Server versions prior to 20.2 Description: The issue is related to insufficient access control in the Oracle Application Express Opportunity Tracker component. It allows a low-privileged attacker with a valid user account and network access via HTTP to compromise the component. Successful attacks require human interaction and may significantly impact additional products, resulting in unauthorized access to data, including update, insert, delete, and read access to some of the accessible data. Recommendations: For versions prior to 20.2, update to version 20.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the Oracle Application Express Opportunity Tracker component to minimize the risk of exploitation. Additionally, restrict network access via HTTP to the component until the update is applied.

Name of the Vulnerable Software and Affected Versions: Oracle Application Express Packaged Apps version prior to 20.2 Description: The issue is related to insufficient input validation in the Oracle Application Express Packaged Apps component. It allows a low-privileged attacker with a valid user account and network access via HTTP to compromise the component. Successful attacks require human interaction and may significantly impact additional products, resulting in unauthorized access to data, including update, insert, delete, and read access to some of the accessible data. Recommendations: For versions prior to 20.2, update to version 20.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the Oracle Application Express Packaged Apps component to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Oracle Database Server versions prior to 20.2 Description: The issue is related to insufficient input validation in the Oracle Application Express Data Reporter component. It allows a low-privileged attacker with a valid user account and network access via HTTP to compromise the component. Successful attacks require human interaction and may significantly impact additional products, resulting in unauthorized access to data. Recommendations: For versions prior to 20.2, update to version 20.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the Oracle Application Express Data Reporter component to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Oracle Application Express versions prior to 20.2 Description: The issue is related to insufficient input validation in the Oracle Application Express component of Oracle Database Server. It allows a low-privileged attacker with SQL Workshop privilege and network access via HTTP to compromise Oracle Application Express. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products. This can result in unauthorized update, insert, or delete access to some of Oracle Application Express's accessible data, as well as unauthorized read access to a subset of Oracle Application Express's accessible data. Recommendations: For versions prior to 20.2, update to version 20.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the SQL Workshop privilege to minimize the risk of exploitation. Additionally, restrict network access via HTTP to the Oracle Application Express component until the update is applied.

Name of the Vulnerable Software and Affected Versions: Oracle Application Express Group Calendar versions prior to 20.2 Description: The issue exists due to insufficient input validation in the Oracle Application Express Group Calendar component of Oracle Database Server. This allows a remote attacker with a valid user account and network access via HTTP to compromise the component, potentially impacting the confidentiality and integrity of protected information. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products, resulting in unauthorized access to some data. Recommendations: For versions prior to 20.2, update to version 20.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the Oracle Application Express Group Calendar component until a patch is available. Additionally, restrict network access via HTTP to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Oracle Database Server versions prior to 20.2 Description: The issue is related to insufficient input validation in the Oracle Application Express Quick Poll component. It allows a low-privileged attacker with a valid user account and network access via HTTP to compromise the component. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products. The impact includes unauthorized update, insert, or delete access to some data, as well as unauthorized read access to a subset of data. Recommendations: For versions prior to 20.2, update to version 20.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the Oracle Application Express Quick Poll component to minimize the risk of exploitation.