Victor Rodriguez

**Name of the Vulnerable Software and Affected Versions** Oracle WebCenter Sites version 12.2.1.4.0 **Description** The issue is related to insufficient input validation in the Advanced UI component of Oracle WebCenter Sites, allowing an unauthenticated attacker with network access via HTTP to compromise the system. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products. This can result in unauthorized update, insert, or delete access to some of Oracle WebCenter Sites' accessible data, as well as unauthorized read access to a subset of Oracle WebCenter Sites' accessible data. **Recommendations** For version 12.2.1.4.0, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PeopleSoft Enterprise PeopleTools versions 8.57 through 8.59 **Description** The issue exists due to insufficient input validation in the Weblogic component of Oracle PeopleSoft Enterprise PeopleTools. This allows a remote attacker to gain read access to data using HTTP requests. Successful attacks can result in unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. **Recommendations** For versions 8.57 through 8.59, update to a version that includes the fix for this issue to prevent unauthorized read access. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: PeopleSoft Enterprise PeopleTools versions 8.57, 8.58, and 8.59 Description: The issue allows an unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products. This can result in unauthorized update, insert, or delete access to some of PeopleSoft Enterprise PeopleTools accessible data, as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. Recommendations: For versions 8.57, 8.58, and 8.59, update to a version that includes a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CKEditor 4 versions prior to 4.16.2 **Description** A potential vulnerability has been discovered in the CKEditor 4 [Fake Objects] package, allowing the injection of malformed Fake Objects HTML, which could result in executing JavaScript code. This issue affects all users using the CKEditor 4 plugins listed, including [Fake Objects], [Link], [Flash], [Iframe], [Forms], and [Page Break], at versions prior to 4.16.2. **Recommendations** For CKEditor 4 versions prior to 4.16.2, update to version 4.16.2 to resolve the issue. As a temporary workaround, consider disabling the use of the [Fake Objects] plugin until the patch is applied. Restrict access to the affected plugins to minimize the risk of exploitation. Avoid using the affected plugins in the CKEditor 4 package until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Apache Velocity Engine versions up to 2.2 Bitbucket Data Center and Server versions 7.21.0 through 7.21.7 **Description** An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates. The issue is related to incorrect management of code generation in the Java velocity template mechanism, which can allow a remote attacker to access confidential data, disrupt its integrity, and cause a denial of service. **Recommendations** For Apache Velocity Engine versions up to 2.2, consider disabling the ability for untrusted users to upload or modify Velocity templates until a patch is available. For Bitbucket Data Center and Server versions 7.21.0 through 7.21.7, upgrade to a release greater than or equal to 7.21.8 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Oracle WebCenter Sites version 12.2.1.3.0 **Description** The issue is related to a lack of protection for service data in the Advanced UI component of Oracle WebCenter Sites, allowing an unauthenticated attacker with network access via HTTP to compromise the system. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products, resulting in unauthorized access to critical data or complete access to all Oracle WebCenter Sites accessible data. **Recommendations** For version 12.2.1.3.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.