Researchers describe discovery of ‘mega’ zero-day

Researchers describe discovery of ‘mega’ zero-day

Oracle has patched a remote code execution (RCE) vulnerability impacting Oracle Fusion Middleware and various other Oracle systems.

Security researchers ‘Peterjson’ and ‘Jang’ reported a pair of severe flaws to Oracle that can be chained to achieve RCE, which they dubbed the ‘Miracle Exploit’.

The researchers said they privately told Oracle about a serious vulnerability they discovered in Oracle Access Manager, tracked as CVE-2021–35587. The CVSS 9.8 bug is described as an “easily exploitable” flaw that allows unauthenticated attackers with network access via HTTP for application takeover.

**Accidental discovery**

Jang said the flaw was discovered by accident when the duo were “building a PoC \[proof of concept exploit code\] for another mega 0-day”.

While working with the Zero Day Initiative (ZDI), this research led to the discovery of CVE-2022–21445. This ‘mega’ bug, issued a severity score of 9.8, was found in the Oracle Application Development Framework (ADF) Faces architecture, a component of Oracle Fusion Middleware.

Catch up on the latest vulnerability-related security news and analysis

The deserialization of trusted data issue can be chained with CVE-2022–21497 (CVSS 8.1), a takeover flaw in Oracle Web Services Manager, to achieve pre-authentication RCE.

CVE-2022–21445 impacts a variety of products and services based on Fusion Middleware, various Oracle systems, and even Oracle’s cloud infrastructure. Unauthenticated attackers with network access, via HTTP, can abuse the vulnerability chain.

“One more thing to note, any website was developed by ADF Faces framework are affected,” Peterjson said.

**Disclosure and patches**

After testing Oracle services and domains, the vulnerability report was submitted to the vendor on October 25, 2021. In the same month, Oracle confirmed receipt of the report and said it was investigating. However, it took the best part of six months for a patch to be issued.

Both issues have been resolved in Oracle’s April round of patches. Oracle is one of many technology vendors, alongside Microsoft and Adobe, that releases a monthly patch update to tackle bugs in its software.

Companies utilizing vulnerable Oracle software are urged to apply the patch immediately.

Other vendors potentially impacted by the pre-auth RCE were notified via their respective bug bounty programs. Peterjson told The Stack that companies have been informed if they have not applied Oracle’s fix, and that he believes the number of exposed instances is “huge”.

“Why \[did\] we hack some Oracle’s sites? Because we want to demonstrate the impact to Oracle and let them know this vulnerability is super dangerous, it affects Oracle system\[s\] and Oracle’s customers,” Peterjson commented.

“That’s why we want Oracle take an action ASAP. But as you can see, 6 months for Oracle to patch it, I don’t know why, but we have to accept it and follow Oracle’s policy.”

The Daily Swig has reached out to Oracle and we will update this story if and when we hear back.

YOU MIGHT ALSO LIKE Splunk patches critical vulnerability while users push for legacy updates

Oracle patches ‘miracle exploit’ impacting Middleware Fusion, cloud services

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could allow a low level user to obtain sensitive information from the details of the 'Cloud Storage' page for which they should not have access. IBM X-Force ID: 202682.

CVE-2021-29768: Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities

The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.

CVE-2022-32535: Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch

Swiss researchers debunked MEGA's claims that anyone that would be able to take over MEGA's infrastructure would still not have access to your information and files.
The post MEGA claims it can’t decrypt your files. But someone’s managed to… appeared first on Malwarebytes Labs.

MEGA, the cloud storage provider and file hosting service, is very proud of its end-to-end encryption. It says it couldn’t decrypt your stored files, even if it wanted to.

“All your data on MEGA is encrypted with a key derived from your password; in other words, your password is your main encryption key. MEGA does not have access to your password or your data. Using a strong and unique password will ensure that your data is protected from being hacked and gives you total confidence that your information will remain just that – yours.”

But there’s a problem. A Swiss team of researchers has just proved those claims wrong.

And that’s not all. The research went one step further, finding that an attacker could insert malicious files into the storage, passing all authenticity checks of the client.

**Cryptography flaws**

Researchers at the Department of Computer Science of the ETH Zurich in Zurich, Switzerland reviewed the security of MEGA and found significant issues in how it uses cryptography.

These findings could lead to devastating attacks on the confidentiality and integrity of user data in the MEGA cloud.

**Key hierarchy**

The MEGA client derives an authentication key and an encryption key from the password. The authentication key identifies users to MEGA. The encryption key encrypts a randomly generated master key, which in turn encrypts other key material of the user. Every account has a set of asymmetric keys: An RSA key pair for sharing data, a Curve25519 key pair for exchanging chat keys for MEGA’s chat functionality, and an Ed25519 key pair for signing the other keys. Furthermore, the client generates a new key for every file or folder (collectively referred to as nodes) uploaded by the user.

Long story short, all the keys are derived in one way or another from the password. And all the keys get stored on MEGA’s servers to support access from multiple devices.

**Ciphertext**

Ciphertext is encrypted text transformed from plaintext using an encryption algorithm. The researchers built two attacks based on the lack of integrity protection of ciphertexts containing keys, and two further attacks to breach the integrity of file ciphertexts and allow a malicious service provider to insert chosen files into a user’s cloud storage.

**Attacks**

Due to the flawed integrity protection, a malicious service provider can recover a user’s private RSA share key (used to share file and folder keys) over 512 login attempts. The number is 512 because of the RSA-CRT implementation used by MEGA clients to build an oracle that leaks one bit of information per login attempt about a factor of the RSA modulus.

As a result the malicious service provider can recover any plaintext encrypted with AES-ECB under a user’s master key. This includes all node keys used for encrypting files and folders. As a consequence, the confidentiality of all user data protected by these keys, such as files and chat messages, is lost.

Based on the first two attacks, a malicious service provider can construct an encrypted file. The user cannot demonstrate that they didn’t upload the forged data because the files and keys are indistinguishable from genuinely uploaded ones. It needs no further explanation that introducing a malicious file in such an attack could further compromise not only the user’s system, but also for those the user has shared their files or folders with.

**MEGA’s response**

MEGA acknowledged the issue on March 24, 2022, and released patches on June 21, 2022, awarding the researchers a bug bounty. But MEGA’s fix differs greatly from what the researchers proposed, patching only for the first attack alone since the other attacks rely on the first one.

Since that does not fix the key reuse issue, lack of integrity checks, and other systemic problems the researchers identified, this remains a source of concern for them.

As a regular MEGA user there is no reason to worry about these flaws, especially if you haven’t logged in more than 512 times. An attacker would need to have control over MEGA’s API servers or TLS connections without being noticed to perform any of these attacks.

Anyone interested in more technical details, can read the researcher’s paper.

MEGA claims it can’t decrypt your files. But someone’s managed to…

SAP Focused Run Simple Diagnostics Agent version 1.0 suffers from a directory traversal vulnerability.

    # Onapsis Security Advisory 2022-0007: Directory Traversal vulnerability inSAP Focused Run (Simple Diagnostics Agent 1.0)## Impact on BusinessExposing the contents of a directory can lead to a disclosure of usefulinformationfor the attacker to devise exploits, such as creation times of files or anyinformation that may be encoded in file names. The directory listing mayalsocompromise private or confidential data.## Advisory Information- Public Release Date: 06/21/2022- Security Advisory ID: ONAPSIS-2022-0007- Researcher(s): Yvan Genuer## Vulnerability Information- Vendor: SAP- Affected Components:  - SIMPLE\_DIAGNOSTICS\_AGENT 1.0  (Check SAP Note 3159091 for detailed information on affected releases)- Vulnerability Class: CWE-548- CVSS v3 score: 2.7 AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N- Risk Level: Low- Assigned CVE: CVE-2022-27657- Vendor patch Information: SAP Security NOTE 3159091## Affected Components DescriptionSAP Focused Run is a spin-off from SAP Solution Manager concentrating on thespecific needs of high volume system and application monitoring, alertingandanalytics needs.(https://support.sap.com/en/alm/sap-focused-run/expert-portal/)## Vulnerability DetailsA path traversal exists in the Simple Diagnostic Agent service listening, bydefault, on localhost port 3005. A local attacker, without particularprivileges,can use it to display content of the directory as ```sapadm``` OS user.Leading toinformation disclosure of potentially sensitive data.## SolutionSAP has released SAP Note 3159091 which provide patched versions of theaffected components.The patches can be downloaded fromhttps://launchpad.support.sap.com/#/notes/3159091.Onapsis strongly recommends SAP customers to download the relatedsecurity fixes and apply them to the affected components in order toreduce business risks.## Report Timeline - 01/28/2022: Onapsis sends details to SAP - 02/02/2022: SAP provides internal ID - 04/12/2022: SAP releases SAP Note fixing the issue. - 06/21/2022: Advisory published## References- Onapsis blogpost:https://onapsis.com/blog/sap-security-patch-day-april-2022-focus-spring4shell-and-sap-mii- CVE Mitre:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27657- Vendor Patch:https://launchpad.support.sap.com/#/notes/3159091## About Onapsis Research LabsOnapsis Research Labs provides the industry analysis of key securityissues that impact business-critical systems and applications.Delivering frequent and timely security and compliance advisories withassociated risk levels, Onapsis Research Labs combine in-depth knowledgeand experience to deliver technical and business-context with soundsecurity judgment to the broader information security community.Find all reported vulnerabilities athttps://github.com/Onapsis/vulnerability_advisories## About Onapsis, Inc.Onapsis protects the mission-critical applications that run the globaleconomy,from the core to the cloud. The Onapsis Platform uniquely deliversactionableinsight, secure change, automated governance and continuous monitoring forcriticalsystems—ERP, CRM, PLM, HCM, SCM and BI applications—from leading vendorssuch as SAP,Oracle, Salesforce and others, while keeping them protected and compliant.For more information, connect with us on Twitter or LinkedIn, or visit us athttps://www.onapsis.com.-- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

SAP FRUN Simple Diagnostics Agent 1.0 Directory Traversal

SAP Focused Run Simple Diagnostics Agent version 1.0 suffers from an information disclosure vulnerability.

    # Onapsis Security Advisory 2022-0006: Information Disclosure vulnerabilityin SAP Focused Run (Simple Diagnostics Agent 1.0)## Impact on BusinessRunning unnecessary services, like a jetty webserver, may lead to increasedsurface area for an attack and also it unnecessarily exposes underlyingvulnerabilities.## Advisory Information- Public Release Date: 06/21/2022- Security Advisory ID: ONAPSIS-2022-0006- Researcher(s): Yvan Genuer## Vulnerability Information- Vendor: SAP- Affected Components:  - SIMPLE\_DIAGNOSTICS\_AGENT 1.0  (Check SAP Note 3147102 for detailed information on affected releases)- Vulnerability Class: CWE-200- CVSS v3 score: 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N- Risk Level: Medium- Assigned CVE: CVE-2022-22547- Vendor patch Information: SAP Security NOTE 3147102## Affected Components DescriptionSAP Focused Run is a spin-off from SAP Solution Manager concentrating on thespecific needs of high volume system and application monitoring, alertingandanalytics needs.(https://support.sap.com/en/alm/sap-focused-run/expert-portal/)## Vulnerability DetailsThe Simple Diagnostic Agent exposed a Jetty Web server on a random port,between9000-65535. This service does not handle any API or servlets, as well asdoesnot have any incoming or outcoming network communication. This allowsinformation gathering which could be used to exploit future open sourcesecurityexploits.## SolutionSAP has released SAP Note 3147102 which provide patched versions of theaffected components.The patches can be downloaded fromhttps://launchpad.support.sap.com/#/notes/3147102.Onapsis strongly recommends SAP customers to download the relatedsecurity fixes and apply them to the affected components in order toreduce business risks.## Report Timeline - 01/28/2022: Onapsis sends details to SAP - 02/02/2022: SAP provides internal ID - 03/08/2022: SAP releases SAP Note fixing the issue. - 06/21/2022: Advisory published## References- Onapsis blogpost:https://onapsis.com/blog/sap-security-patch-day-march-2022-sap-focused-run-affected-several-vulnerabilities- CVE Mitre:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22547- Vendor Patch:https://launchpad.support.sap.com/#/notes/3147102## About Onapsis Research LabsOnapsis Research Labs provides the industry analysis of key securityissues that impact business-critical systems and applications.Delivering frequent and timely security and compliance advisories withassociated risk levels, Onapsis Research Labs combine in-depth knowledgeand experience to deliver technical and business-context with soundsecurity judgment to the broader information security community.Find all reported vulnerabilities athttps://github.com/Onapsis/vulnerability_advisories## About Onapsis, Inc.Onapsis protects the mission-critical applications that run the globaleconomy,from the core to the cloud. The Onapsis Platform uniquely deliversactionableinsight, secure change, automated governance and continuous monitoring forcriticalsystems—ERP, CRM, PLM, HCM, SCM and BI applications—from leading vendorssuch as SAP,Oracle, Salesforce and others, while keeping them protected and compliant.For more information, connect with us on Twitter or LinkedIn, or visit us athttps://www.onapsis.com.-- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

SAP FRUN Simple Diagnostics Agent 1.0 Information Disclosure

The SAP Fiori launchpad suffers from a cross site scripting vulnerability. Various component versions are affected.

    # Onapsis Security Advisory 2022-0005: Cross-Site Scripting (XSS)vulnerability in SAP Fiori launchpad## Impact on BusinessImpact depends on the victim's privileges. In most cases, a successfulattackallows an attacker to hijack a session, or force the victim to performundesiredrequests in the SAP System (CSRF) as well as redirected to arbitrary website(Open Redirect).## Advisory Information- Public Release Date: 06/21/2022- Security Advisory ID: ONAPSIS-2022-0005- Researcher(s): Yvan Genuer## Vulnerability Information- Vendor: SAP- Affected Components:  - SAP\_UI 753  - SAP\_UI 754  - SAP\_UI 755  - SAP\_UI 756  - SAP\_BASIS 787  (Check SAP Note 3149805 for detailed information on affected releases)- Vulnerability Class: CWE-79- CVSS v3 score: 8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N- Risk Level: High- Assigned CVE: CVE-2022-26101- Vendor patch Information: SAP Security NOTE 3149805## Affected Components DescriptionSAP Fiori launchpad is the entry point to ABAP platform for SAP Fiori appsonmobile and desktop devices.## Vulnerability DetailsDuring the navigation in SAP Fiori Launchpad, it is possible to provide acustomtheme name using the url parameter ```sap-theme```. This parameter has anoption to provide the path to a .css file, which it is used directly in thepagegeneration. This optional input is not sufficiently sanitized, allowing anattacker tocontrol and craft any kind of html payload in the page requested.## SolutionSAP has released SAP Note 3149805 which provide patched versions of theaffected components.The patches can be downloaded fromhttps://launchpad.support.sap.com/#/notes/3149805.Onapsis strongly recommends SAP customers to download the relatedsecurity fixes and apply them to the affected components in order toreduce business risks.## Report Timeline - 01/28/2022: Onapsis sends details to SAP - 02/09/2022: SAP provides internal ID - 03/08/2022: SAP releases SAP Note fixing the issue. - 06/21/2022: Advisory published## References- Onapsis blogpost:https://onapsis.com/blog/sap-security-patch-day-march-2022-sap-focused-run-affected-several-vulnerabilities- CVE Mitre:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26101- Vendor Patch:https://launchpad.support.sap.com/#/notes/3149805- Vendor FAQ:https://launchpad.support.sap.com/#/notes/3157089## About Onapsis Research LabsOnapsis Research Labs provides the industry analysis of key securityissues that impact business-critical systems and applications.Delivering frequent and timely security and compliance advisories withassociated risk levels, Onapsis Research Labs combine in-depth knowledgeand experience to deliver technical and business-context with soundsecurity judgment to the broader information security community.Find all reported vulnerabilities athttps://github.com/Onapsis/vulnerability_advisories## About Onapsis, Inc.Onapsis protects the mission-critical applications that run the globaleconomy,from the core to the cloud. The Onapsis Platform uniquely deliversactionableinsight, secure change, automated governance and continuous monitoring forcriticalsystems—ERP, CRM, PLM, HCM, SCM and BI applications—from leading vendorssuch as SAP,Oracle, Salesforce and others, while keeping them protected and compliant.For more information, connect with us on Twitter or LinkedIn, or visit us athttps://www.onapsis.com.-- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

SAP Fiori Launchpad Cross Site Scripting

SAP Focused Run Simple Diagnostics Agent version 1.0 suffers from a missing authentication vulnerability.

    # Onapsis Security Advisory 2022-0004: Missing Authentication check in SAPFocused Run (Simple Diagnostics Agent 1.0)## Impact on BusinessBecause the Simple Diagnostic Agent (SDA) handles several importantconfiguration and critical credential information, a successful attackcould lead to the control of the SDA, and therefore affect:  * Integrity, by modifying the configuration.  * Availability, by stopping the service.  * Confidentiality and Scope changing, by decrypting all storedcredentials. Thenaccessing the SAP Focused Run system as well as the SAP system managed bytheSDA.## Advisory Information- Public Release Date: 06/21/2022- Security Advisory ID: ONAPSIS-2022-0004- Researcher(s): Yvan Genuer## Vulnerability Information- Vendor: SAP- Affected Components:  - SIMPLE\_DIAGNOSTICS\_AGENT 1.0  (Check SAP Note 3145987 for detailed information on affected releases)- Vulnerability Class: CWE-306- CVSS v3 score: 9.3 AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H- Risk Level: Critical- Assigned CVE: CVE-2022-24396- Vendor patch Information: SAP Security NOTE 3145987## Affected Components DescriptionSAP Focused Run is a spin-off from SAP Solution Manager concentrating on thespecific needs of high volume system and application monitoring, alertingandanalytics needs.(https://support.sap.com/en/alm/sap-focused-run/expert-portal/)## Vulnerability DetailsVulnerability 1:No authentication is required to interact with the Simple Diagnostic Agenthttpservice on port 3005 by default. Therefore, unauthenticated attackers willhavefull access to either administrative or other privileged functionalities.Leveragingthis access, they would be able to read, modify or delete sensitiveinformation andconfigurations with sapadm OS user privileges.Vulnerability 2:A path traversal exists in the Simple Diagnostic Agent service listening, bydefault, on localhost port 3005. A local attacker, without particularprivileges,can abuse this flaw in order to display the content of any OS directorywhich ```sapadm```has access to. Leading to information disclosure of potentially sensitivedata.## SolutionSAP has released SAP Note 3145987 which provide patched versions of theaffected components.The patches can be downloaded fromhttps://launchpad.support.sap.com/#/notes/3145987.Onapsis strongly recommends SAP customers to download the relatedsecurity fixes and apply them to the affected components in order toreduce business risks.## Report Timeline - 01/28/2022: Onapsis sends details to SAP - 02/02/2022: SAP provides internal ID - 03/08/2022: SAP releases SAP Note fixing the issue. - 06/21/2022: Advisory published.## References- Onapsis blogpost:https://onapsis.com/blog/sap-security-patch-day-march-2022-sap-focused-run-affected-several-vulnerabilities- CVE Mitre:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24396- Vendor Patch:https://launchpad.support.sap.com/#/notes/3145987## About Onapsis Research LabsOnapsis Research Labs provides the industry analysis of key securityissues that impact business-critical systems and applications.Delivering frequent and timely security and compliance advisories withassociated risk levels, Onapsis Research Labs combine in-depth knowledgeand experience to deliver technical and business-context with soundsecurity judgment to the broader information security community.Find all reported vulnerabilities athttps://github.com/Onapsis/vulnerability_advisories## About Onapsis, Inc.Onapsis protects the mission-critical applications that run the globaleconomy,from the core to the cloud. The Onapsis Platform uniquely deliversactionableinsight, secure change, automated governance and continuous monitoring forcriticalsystems—ERP, CRM, PLM, HCM, SCM and BI applications—from leading vendorssuch as SAP,Oracle, Salesforce and others, while keeping them protected and compliant.For more information, connect with us on Twitter or LinkedIn, or visit us athttps://www.onapsis.com.-- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

SAP FRUN Simple Diagnostics Agent 1.0 Missing Authentication

SAP Focused Run versions 2.00 and 3.00 suffer from a cross site scripting vulnerability.

    # Onapsis Security Advisory 2022-0003: Cross-Site Scripting (XSS)vulnerability in SAP Focused Run (Real User Monitoring)## Impact on BusinessImpact depends on the victim's privileges. In most cases, a successfulattackallows an attacker to hijack a session, or force the victim to performundesired requestin SAP Focused Run.## Advisory Information- Public Release Date: 06/21/2022- Security Advisory ID: ONAPSIS-2022-0003- Researcher(s): Yvan Genuer## Vulnerability Information- Vendor: SAP- Affected Components:  - FRUN 2.00  - FRUN 3.00  (Check SAP Note 3147283 for detailed information on affected releases)- Vulnerability Class: CWE-79- CVSS v3 score: 5.4 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N- Risk Level: Medium- Assigned CVE: CVE-2022-24399- Vendor patch Information: SAP Security NOTE 3147283## Affected Components DescriptionSAP Focused Run is a spin-off from SAP Solution Manager concentrating on thespecific needs of high volume system and application monitoring, alertingandanalytics needs.(https://support.sap.com/en/alm/sap-focused-run/expert-portal/)## Vulnerability DetailsThe SAP Focused Run REST service ```/sap/bc/rest/rumupload``` do notsufficiently sanitize an input in the multipart/form-data leading toCross-SiteScripting (XSS) vulnerability from the error page generated.## SolutionSAP has released SAP Note 3147283 which provide patched versions of theaffected components.The patches can be downloaded fromhttps://launchpad.support.sap.com/#/notes/3147283.Onapsis strongly recommends SAP customers to download the relatedsecurity fixes and apply them to the affected components in order toreduce business risks.## Report Timeline - 01/28/2022: Onapsis sends details to SAP - 02/02/2022: SAP provides internal ID - 03/08/2022: SAP releases SAP Note fixing the issue. - 06/21/2022: Advisory published.## References- Onapsis blogpost:https://onapsis.com/blog/sap-security-patch-day-march-2022-sap-focused-run-affected-several-vulnerabilities- CVE Mitre:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24399- Vendor Patch:https://launchpad.support.sap.com/#/notes/3147283## About Onapsis Research LabsOnapsis Research Labs provides the industry analysis of key securityissues that impact business-critical systems and applications.Delivering frequent and timely security and compliance advisories withassociated risk levels, Onapsis Research Labs combine in-depth knowledgeand experience to deliver technical and business-context with soundsecurity judgment to the broader information security community.Find all reported vulnerabilities athttps://github.com/Onapsis/vulnerability_advisories## About Onapsis, Inc.Onapsis protects the mission-critical applications that run the globaleconomy,from the core to the cloud. The Onapsis Platform uniquely deliversactionableinsight, secure change, automated governance and continuous monitoring forcriticalsystems—ERP, CRM, PLM, HCM, SCM and BI applications—from leading vendorssuch as SAP,Oracle, Salesforce and others, while keeping them protected and compliant.For more information, connect with us on Twitter or LinkedIn, or visit us athttps://www.onapsis.com.-- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

SAP FRUN 2.00 / 3.00 Cross Site Scripting

The GeoAnalytics feature in Qlik Sense April 2020 patch 4 allows SSRF.

**CVE-2021-41594**

RSA Archer

RSA Archer 6.9.SP1 P3 suffer of a privilege escalation vulnerability letting administrators access presumibily inaccessible functionalities.

**CVE-2021-40511**

Mastro – OBDA systems

OBDA systems’ Mastro 1.0 is vulnerable to XML Entity Expansion (aka “billion laughs”) attack allowing denial of service.

**CVE-2021-40510**

Mastro – OBDA systems

XML eXternal Entity (XXE) in OBDA systems’ Mastro 1.0 allows remote attackers to read system files via custom DTDs.

**CVE-TBA-01**

Liferay Portal

Cross-site scripting (XSS) vulnerability in the Gogo Shell module in Liferay Portal 7.1.0 through 7.3.6 and 7.4.0 allows remote attackers to inject arbitrary web script or HTML via the output of a Gogo Shell command.

**CVE-2021-36761**

Qlik Sense

The GeoAnalytics feature in Qlik Sense April 2020 patch 4 allows remote attackers to perform internal port scanning via SSRF.

**CVE-2021-36760**

WSO2 Identity Server

DOM-based XSS attack in WSO2 Identity Server 5.7.0 allows remote attackers to inject arbitrary web script in password reset procedure. This vulnerability can be used to perform Open Redirection attacks too.

**CVE-2020-23488**

L.E.F Radio Web Streamer

Blind Command Injection in L.E.F. srl Radio Web Streamer 1.0 allows an  
authenticated attacker to execute arbitrary command on the target system via specially crafted HTTP POST request.

**CVE-2020-23487**

L.E.F Radio Web Streamer

Arbitrary File Upload in L.E.F. srl Radio Web Streamer 1.0 allows an  
authenticated attacker to upload arbitrary file on the target system, hence  
executing arbitrary command by uploading a PHP file.

**CVE-2020-23486**

L.E.F Radio Web Streamer

Unauthenticated Command Injection in L.E.F. srl Radio Web Streamer 1.0 allows  an attacker to execute arbitrary command on the target system.

**CVE-2020-14608**

Oracle Fusion Middleware MapViewer

This vulnerability allows unauthenticated attacker with network access via HTTP to create, delete, edit critical data and read accessible data.

**CVE-2020-14607**

Oracle Fusion Middleware MapViewer

This vulnerability allows unauthenticated attacker with network access via HTTP to update, insert, delete and partially read accessible data.

**CVE-2020-14997**

ASiM – Archimista

An Insecure Direct Object Reference (IDOR) in Archimista 3.1.0 allows authenticated attacker to read and export all the reports in the application.

**CVE-2020-14996**

ASiM – Archimista

An arbitrary file read in Archimista 3.1.0 allows remote attacker to read arbitrary files on the file system.

**CVE-2020-14995**

ASiM – Archimista

A SQL injection in Archimista 3.1.0 allows remote attacker to execute arbitrary query on the database via the “term” parameter.

**CVE-2020-14994**

ASiM – Archimista

A SQL injection in Archimista 3.1.0 allows remote attacker to execute arbitrary query on the database via the “order” parameter.

**CVE-2020-10785**

Targa Telematics

**CVE-2020-10784**

Targa Telematics

**CVE-2019-19866**

Atos Unify OpenScape UC Application

Atos Unify OpenScape UC Web Client V9 before version V9 R4.31.0 and V10 before version V10 R0.6.0 allows remote attackers to obtain sensitive information. By iterating the value of conferenceId to getMailFunction in the JSON API, one can enumerate all conferences scheduled on the platform, with their numbers and access PINs.

**CVE-2019-19865**

Atos Unify OpenScape UC Application

Atos Unify OpenScape UC Application V9 before version V9 R4.31.0 and V10 before version V10 R0.6.0 allows XSS. An attacker could exploit this by convincing an authenticated user to inject arbitrary JavaScript code in the Profile Name field. A browser would execute this stored XSS payload.

**CVE-2019-17227**

Atos Unify OpenScape UC Application

Tag

#oracle