Swiss researchers debunked MEGA's claims that anyone that would be able to take over MEGA's infrastructure would still not have access to your information and files.
The post MEGA claims it can’t decrypt your files. But someone’s managed to… appeared first on Malwarebytes Labs.

MEGA, the cloud storage provider and file hosting service, is very proud of its end-to-end encryption. It says it couldn’t decrypt your stored files, even if it wanted to.

“All your data on MEGA is encrypted with a key derived from your password; in other words, your password is your main encryption key. MEGA does not have access to your password or your data. Using a strong and unique password will ensure that your data is protected from being hacked and gives you total confidence that your information will remain just that – yours.”

But there’s a problem. A Swiss team of researchers has just proved those claims wrong.

And that’s not all. The research went one step further, finding that an attacker could insert malicious files into the storage, passing all authenticity checks of the client.

**Cryptography flaws**

Researchers at the Department of Computer Science of the ETH Zurich in Zurich, Switzerland reviewed the security of MEGA and found significant issues in how it uses cryptography.

These findings could lead to devastating attacks on the confidentiality and integrity of user data in the MEGA cloud.

**Key hierarchy**

The MEGA client derives an authentication key and an encryption key from the password. The authentication key identifies users to MEGA. The encryption key encrypts a randomly generated master key, which in turn encrypts other key material of the user. Every account has a set of asymmetric keys: An RSA key pair for sharing data, a Curve25519 key pair for exchanging chat keys for MEGA’s chat functionality, and an Ed25519 key pair for signing the other keys. Furthermore, the client generates a new key for every file or folder (collectively referred to as nodes) uploaded by the user.

Long story short, all the keys are derived in one way or another from the password. And all the keys get stored on MEGA’s servers to support access from multiple devices.

**Ciphertext**

Ciphertext is encrypted text transformed from plaintext using an encryption algorithm. The researchers built two attacks based on the lack of integrity protection of ciphertexts containing keys, and two further attacks to breach the integrity of file ciphertexts and allow a malicious service provider to insert chosen files into a user’s cloud storage.

**Attacks**

Due to the flawed integrity protection, a malicious service provider can recover a user’s private RSA share key (used to share file and folder keys) over 512 login attempts. The number is 512 because of the RSA-CRT implementation used by MEGA clients to build an oracle that leaks one bit of information per login attempt about a factor of the RSA modulus.

As a result the malicious service provider can recover any plaintext encrypted with AES-ECB under a user’s master key. This includes all node keys used for encrypting files and folders. As a consequence, the confidentiality of all user data protected by these keys, such as files and chat messages, is lost.

Based on the first two attacks, a malicious service provider can construct an encrypted file. The user cannot demonstrate that they didn’t upload the forged data because the files and keys are indistinguishable from genuinely uploaded ones. It needs no further explanation that introducing a malicious file in such an attack could further compromise not only the user’s system, but also for those the user has shared their files or folders with.

**MEGA’s response**

MEGA acknowledged the issue on March 24, 2022, and released patches on June 21, 2022, awarding the researchers a bug bounty. But MEGA’s fix differs greatly from what the researchers proposed, patching only for the first attack alone since the other attacks rely on the first one.

Since that does not fix the key reuse issue, lack of integrity checks, and other systemic problems the researchers identified, this remains a source of concern for them.

As a regular MEGA user there is no reason to worry about these flaws, especially if you haven’t logged in more than 512 times. An attacker would need to have control over MEGA’s API servers or TLS connections without being noticed to perform any of these attacks.

Anyone interested in more technical details, can read the researcher’s paper.

MEGA claims it can’t decrypt your files. But someone’s managed to…

SAP Focused Run Simple Diagnostics Agent version 1.0 suffers from a directory traversal vulnerability.

    # Onapsis Security Advisory 2022-0007: Directory Traversal vulnerability inSAP Focused Run (Simple Diagnostics Agent 1.0)## Impact on BusinessExposing the contents of a directory can lead to a disclosure of usefulinformationfor the attacker to devise exploits, such as creation times of files or anyinformation that may be encoded in file names. The directory listing mayalsocompromise private or confidential data.## Advisory Information- Public Release Date: 06/21/2022- Security Advisory ID: ONAPSIS-2022-0007- Researcher(s): Yvan Genuer## Vulnerability Information- Vendor: SAP- Affected Components:  - SIMPLE\_DIAGNOSTICS\_AGENT 1.0  (Check SAP Note 3159091 for detailed information on affected releases)- Vulnerability Class: CWE-548- CVSS v3 score: 2.7 AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N- Risk Level: Low- Assigned CVE: CVE-2022-27657- Vendor patch Information: SAP Security NOTE 3159091## Affected Components DescriptionSAP Focused Run is a spin-off from SAP Solution Manager concentrating on thespecific needs of high volume system and application monitoring, alertingandanalytics needs.(https://support.sap.com/en/alm/sap-focused-run/expert-portal/)## Vulnerability DetailsA path traversal exists in the Simple Diagnostic Agent service listening, bydefault, on localhost port 3005. A local attacker, without particularprivileges,can use it to display content of the directory as ```sapadm``` OS user.Leading toinformation disclosure of potentially sensitive data.## SolutionSAP has released SAP Note 3159091 which provide patched versions of theaffected components.The patches can be downloaded fromhttps://launchpad.support.sap.com/#/notes/3159091.Onapsis strongly recommends SAP customers to download the relatedsecurity fixes and apply them to the affected components in order toreduce business risks.## Report Timeline - 01/28/2022: Onapsis sends details to SAP - 02/02/2022: SAP provides internal ID - 04/12/2022: SAP releases SAP Note fixing the issue. - 06/21/2022: Advisory published## References- Onapsis blogpost:https://onapsis.com/blog/sap-security-patch-day-april-2022-focus-spring4shell-and-sap-mii- CVE Mitre:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27657- Vendor Patch:https://launchpad.support.sap.com/#/notes/3159091## About Onapsis Research LabsOnapsis Research Labs provides the industry analysis of key securityissues that impact business-critical systems and applications.Delivering frequent and timely security and compliance advisories withassociated risk levels, Onapsis Research Labs combine in-depth knowledgeand experience to deliver technical and business-context with soundsecurity judgment to the broader information security community.Find all reported vulnerabilities athttps://github.com/Onapsis/vulnerability_advisories## About Onapsis, Inc.Onapsis protects the mission-critical applications that run the globaleconomy,from the core to the cloud. The Onapsis Platform uniquely deliversactionableinsight, secure change, automated governance and continuous monitoring forcriticalsystems—ERP, CRM, PLM, HCM, SCM and BI applications—from leading vendorssuch as SAP,Oracle, Salesforce and others, while keeping them protected and compliant.For more information, connect with us on Twitter or LinkedIn, or visit us athttps://www.onapsis.com.-- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

SAP FRUN Simple Diagnostics Agent 1.0 Directory Traversal

SAP Focused Run Simple Diagnostics Agent version 1.0 suffers from an information disclosure vulnerability.

    # Onapsis Security Advisory 2022-0006: Information Disclosure vulnerabilityin SAP Focused Run (Simple Diagnostics Agent 1.0)## Impact on BusinessRunning unnecessary services, like a jetty webserver, may lead to increasedsurface area for an attack and also it unnecessarily exposes underlyingvulnerabilities.## Advisory Information- Public Release Date: 06/21/2022- Security Advisory ID: ONAPSIS-2022-0006- Researcher(s): Yvan Genuer## Vulnerability Information- Vendor: SAP- Affected Components:  - SIMPLE\_DIAGNOSTICS\_AGENT 1.0  (Check SAP Note 3147102 for detailed information on affected releases)- Vulnerability Class: CWE-200- CVSS v3 score: 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N- Risk Level: Medium- Assigned CVE: CVE-2022-22547- Vendor patch Information: SAP Security NOTE 3147102## Affected Components DescriptionSAP Focused Run is a spin-off from SAP Solution Manager concentrating on thespecific needs of high volume system and application monitoring, alertingandanalytics needs.(https://support.sap.com/en/alm/sap-focused-run/expert-portal/)## Vulnerability DetailsThe Simple Diagnostic Agent exposed a Jetty Web server on a random port,between9000-65535. This service does not handle any API or servlets, as well asdoesnot have any incoming or outcoming network communication. This allowsinformation gathering which could be used to exploit future open sourcesecurityexploits.## SolutionSAP has released SAP Note 3147102 which provide patched versions of theaffected components.The patches can be downloaded fromhttps://launchpad.support.sap.com/#/notes/3147102.Onapsis strongly recommends SAP customers to download the relatedsecurity fixes and apply them to the affected components in order toreduce business risks.## Report Timeline - 01/28/2022: Onapsis sends details to SAP - 02/02/2022: SAP provides internal ID - 03/08/2022: SAP releases SAP Note fixing the issue. - 06/21/2022: Advisory published## References- Onapsis blogpost:https://onapsis.com/blog/sap-security-patch-day-march-2022-sap-focused-run-affected-several-vulnerabilities- CVE Mitre:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22547- Vendor Patch:https://launchpad.support.sap.com/#/notes/3147102## About Onapsis Research LabsOnapsis Research Labs provides the industry analysis of key securityissues that impact business-critical systems and applications.Delivering frequent and timely security and compliance advisories withassociated risk levels, Onapsis Research Labs combine in-depth knowledgeand experience to deliver technical and business-context with soundsecurity judgment to the broader information security community.Find all reported vulnerabilities athttps://github.com/Onapsis/vulnerability_advisories## About Onapsis, Inc.Onapsis protects the mission-critical applications that run the globaleconomy,from the core to the cloud. The Onapsis Platform uniquely deliversactionableinsight, secure change, automated governance and continuous monitoring forcriticalsystems—ERP, CRM, PLM, HCM, SCM and BI applications—from leading vendorssuch as SAP,Oracle, Salesforce and others, while keeping them protected and compliant.For more information, connect with us on Twitter or LinkedIn, or visit us athttps://www.onapsis.com.-- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

SAP FRUN Simple Diagnostics Agent 1.0 Information Disclosure

The SAP Fiori launchpad suffers from a cross site scripting vulnerability. Various component versions are affected.

    # Onapsis Security Advisory 2022-0005: Cross-Site Scripting (XSS)vulnerability in SAP Fiori launchpad## Impact on BusinessImpact depends on the victim's privileges. In most cases, a successfulattackallows an attacker to hijack a session, or force the victim to performundesiredrequests in the SAP System (CSRF) as well as redirected to arbitrary website(Open Redirect).## Advisory Information- Public Release Date: 06/21/2022- Security Advisory ID: ONAPSIS-2022-0005- Researcher(s): Yvan Genuer## Vulnerability Information- Vendor: SAP- Affected Components:  - SAP\_UI 753  - SAP\_UI 754  - SAP\_UI 755  - SAP\_UI 756  - SAP\_BASIS 787  (Check SAP Note 3149805 for detailed information on affected releases)- Vulnerability Class: CWE-79- CVSS v3 score: 8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N- Risk Level: High- Assigned CVE: CVE-2022-26101- Vendor patch Information: SAP Security NOTE 3149805## Affected Components DescriptionSAP Fiori launchpad is the entry point to ABAP platform for SAP Fiori appsonmobile and desktop devices.## Vulnerability DetailsDuring the navigation in SAP Fiori Launchpad, it is possible to provide acustomtheme name using the url parameter ```sap-theme```. This parameter has anoption to provide the path to a .css file, which it is used directly in thepagegeneration. This optional input is not sufficiently sanitized, allowing anattacker tocontrol and craft any kind of html payload in the page requested.## SolutionSAP has released SAP Note 3149805 which provide patched versions of theaffected components.The patches can be downloaded fromhttps://launchpad.support.sap.com/#/notes/3149805.Onapsis strongly recommends SAP customers to download the relatedsecurity fixes and apply them to the affected components in order toreduce business risks.## Report Timeline - 01/28/2022: Onapsis sends details to SAP - 02/09/2022: SAP provides internal ID - 03/08/2022: SAP releases SAP Note fixing the issue. - 06/21/2022: Advisory published## References- Onapsis blogpost:https://onapsis.com/blog/sap-security-patch-day-march-2022-sap-focused-run-affected-several-vulnerabilities- CVE Mitre:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26101- Vendor Patch:https://launchpad.support.sap.com/#/notes/3149805- Vendor FAQ:https://launchpad.support.sap.com/#/notes/3157089## About Onapsis Research LabsOnapsis Research Labs provides the industry analysis of key securityissues that impact business-critical systems and applications.Delivering frequent and timely security and compliance advisories withassociated risk levels, Onapsis Research Labs combine in-depth knowledgeand experience to deliver technical and business-context with soundsecurity judgment to the broader information security community.Find all reported vulnerabilities athttps://github.com/Onapsis/vulnerability_advisories## About Onapsis, Inc.Onapsis protects the mission-critical applications that run the globaleconomy,from the core to the cloud. The Onapsis Platform uniquely deliversactionableinsight, secure change, automated governance and continuous monitoring forcriticalsystems—ERP, CRM, PLM, HCM, SCM and BI applications—from leading vendorssuch as SAP,Oracle, Salesforce and others, while keeping them protected and compliant.For more information, connect with us on Twitter or LinkedIn, or visit us athttps://www.onapsis.com.-- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

SAP Fiori Launchpad Cross Site Scripting

SAP Focused Run Simple Diagnostics Agent version 1.0 suffers from a missing authentication vulnerability.

    # Onapsis Security Advisory 2022-0004: Missing Authentication check in SAPFocused Run (Simple Diagnostics Agent 1.0)## Impact on BusinessBecause the Simple Diagnostic Agent (SDA) handles several importantconfiguration and critical credential information, a successful attackcould lead to the control of the SDA, and therefore affect:  * Integrity, by modifying the configuration.  * Availability, by stopping the service.  * Confidentiality and Scope changing, by decrypting all storedcredentials. Thenaccessing the SAP Focused Run system as well as the SAP system managed bytheSDA.## Advisory Information- Public Release Date: 06/21/2022- Security Advisory ID: ONAPSIS-2022-0004- Researcher(s): Yvan Genuer## Vulnerability Information- Vendor: SAP- Affected Components:  - SIMPLE\_DIAGNOSTICS\_AGENT 1.0  (Check SAP Note 3145987 for detailed information on affected releases)- Vulnerability Class: CWE-306- CVSS v3 score: 9.3 AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H- Risk Level: Critical- Assigned CVE: CVE-2022-24396- Vendor patch Information: SAP Security NOTE 3145987## Affected Components DescriptionSAP Focused Run is a spin-off from SAP Solution Manager concentrating on thespecific needs of high volume system and application monitoring, alertingandanalytics needs.(https://support.sap.com/en/alm/sap-focused-run/expert-portal/)## Vulnerability DetailsVulnerability 1:No authentication is required to interact with the Simple Diagnostic Agenthttpservice on port 3005 by default. Therefore, unauthenticated attackers willhavefull access to either administrative or other privileged functionalities.Leveragingthis access, they would be able to read, modify or delete sensitiveinformation andconfigurations with sapadm OS user privileges.Vulnerability 2:A path traversal exists in the Simple Diagnostic Agent service listening, bydefault, on localhost port 3005. A local attacker, without particularprivileges,can abuse this flaw in order to display the content of any OS directorywhich ```sapadm```has access to. Leading to information disclosure of potentially sensitivedata.## SolutionSAP has released SAP Note 3145987 which provide patched versions of theaffected components.The patches can be downloaded fromhttps://launchpad.support.sap.com/#/notes/3145987.Onapsis strongly recommends SAP customers to download the relatedsecurity fixes and apply them to the affected components in order toreduce business risks.## Report Timeline - 01/28/2022: Onapsis sends details to SAP - 02/02/2022: SAP provides internal ID - 03/08/2022: SAP releases SAP Note fixing the issue. - 06/21/2022: Advisory published.## References- Onapsis blogpost:https://onapsis.com/blog/sap-security-patch-day-march-2022-sap-focused-run-affected-several-vulnerabilities- CVE Mitre:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24396- Vendor Patch:https://launchpad.support.sap.com/#/notes/3145987## About Onapsis Research LabsOnapsis Research Labs provides the industry analysis of key securityissues that impact business-critical systems and applications.Delivering frequent and timely security and compliance advisories withassociated risk levels, Onapsis Research Labs combine in-depth knowledgeand experience to deliver technical and business-context with soundsecurity judgment to the broader information security community.Find all reported vulnerabilities athttps://github.com/Onapsis/vulnerability_advisories## About Onapsis, Inc.Onapsis protects the mission-critical applications that run the globaleconomy,from the core to the cloud. The Onapsis Platform uniquely deliversactionableinsight, secure change, automated governance and continuous monitoring forcriticalsystems—ERP, CRM, PLM, HCM, SCM and BI applications—from leading vendorssuch as SAP,Oracle, Salesforce and others, while keeping them protected and compliant.For more information, connect with us on Twitter or LinkedIn, or visit us athttps://www.onapsis.com.-- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

SAP FRUN Simple Diagnostics Agent 1.0 Missing Authentication

SAP Focused Run versions 2.00 and 3.00 suffer from a cross site scripting vulnerability.

    # Onapsis Security Advisory 2022-0003: Cross-Site Scripting (XSS)vulnerability in SAP Focused Run (Real User Monitoring)## Impact on BusinessImpact depends on the victim's privileges. In most cases, a successfulattackallows an attacker to hijack a session, or force the victim to performundesired requestin SAP Focused Run.## Advisory Information- Public Release Date: 06/21/2022- Security Advisory ID: ONAPSIS-2022-0003- Researcher(s): Yvan Genuer## Vulnerability Information- Vendor: SAP- Affected Components:  - FRUN 2.00  - FRUN 3.00  (Check SAP Note 3147283 for detailed information on affected releases)- Vulnerability Class: CWE-79- CVSS v3 score: 5.4 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N- Risk Level: Medium- Assigned CVE: CVE-2022-24399- Vendor patch Information: SAP Security NOTE 3147283## Affected Components DescriptionSAP Focused Run is a spin-off from SAP Solution Manager concentrating on thespecific needs of high volume system and application monitoring, alertingandanalytics needs.(https://support.sap.com/en/alm/sap-focused-run/expert-portal/)## Vulnerability DetailsThe SAP Focused Run REST service ```/sap/bc/rest/rumupload``` do notsufficiently sanitize an input in the multipart/form-data leading toCross-SiteScripting (XSS) vulnerability from the error page generated.## SolutionSAP has released SAP Note 3147283 which provide patched versions of theaffected components.The patches can be downloaded fromhttps://launchpad.support.sap.com/#/notes/3147283.Onapsis strongly recommends SAP customers to download the relatedsecurity fixes and apply them to the affected components in order toreduce business risks.## Report Timeline - 01/28/2022: Onapsis sends details to SAP - 02/02/2022: SAP provides internal ID - 03/08/2022: SAP releases SAP Note fixing the issue. - 06/21/2022: Advisory published.## References- Onapsis blogpost:https://onapsis.com/blog/sap-security-patch-day-march-2022-sap-focused-run-affected-several-vulnerabilities- CVE Mitre:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24399- Vendor Patch:https://launchpad.support.sap.com/#/notes/3147283## About Onapsis Research LabsOnapsis Research Labs provides the industry analysis of key securityissues that impact business-critical systems and applications.Delivering frequent and timely security and compliance advisories withassociated risk levels, Onapsis Research Labs combine in-depth knowledgeand experience to deliver technical and business-context with soundsecurity judgment to the broader information security community.Find all reported vulnerabilities athttps://github.com/Onapsis/vulnerability_advisories## About Onapsis, Inc.Onapsis protects the mission-critical applications that run the globaleconomy,from the core to the cloud. The Onapsis Platform uniquely deliversactionableinsight, secure change, automated governance and continuous monitoring forcriticalsystems—ERP, CRM, PLM, HCM, SCM and BI applications—from leading vendorssuch as SAP,Oracle, Salesforce and others, while keeping them protected and compliant.For more information, connect with us on Twitter or LinkedIn, or visit us athttps://www.onapsis.com.-- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

SAP FRUN 2.00 / 3.00 Cross Site Scripting

The GeoAnalytics feature in Qlik Sense April 2020 patch 4 allows SSRF.

**CVE-2021-41594**

RSA Archer

RSA Archer 6.9.SP1 P3 suffer of a privilege escalation vulnerability letting administrators access presumibily inaccessible functionalities.

**CVE-2021-40511**

Mastro – OBDA systems

OBDA systems’ Mastro 1.0 is vulnerable to XML Entity Expansion (aka “billion laughs”) attack allowing denial of service.

**CVE-2021-40510**

Mastro – OBDA systems

XML eXternal Entity (XXE) in OBDA systems’ Mastro 1.0 allows remote attackers to read system files via custom DTDs.

**CVE-TBA-01**

Liferay Portal

Cross-site scripting (XSS) vulnerability in the Gogo Shell module in Liferay Portal 7.1.0 through 7.3.6 and 7.4.0 allows remote attackers to inject arbitrary web script or HTML via the output of a Gogo Shell command.

**CVE-2021-36761**

Qlik Sense

The GeoAnalytics feature in Qlik Sense April 2020 patch 4 allows remote attackers to perform internal port scanning via SSRF.

**CVE-2021-36760**

WSO2 Identity Server

DOM-based XSS attack in WSO2 Identity Server 5.7.0 allows remote attackers to inject arbitrary web script in password reset procedure. This vulnerability can be used to perform Open Redirection attacks too.

**CVE-2020-23488**

L.E.F Radio Web Streamer

Blind Command Injection in L.E.F. srl Radio Web Streamer 1.0 allows an  
authenticated attacker to execute arbitrary command on the target system via specially crafted HTTP POST request.

**CVE-2020-23487**

L.E.F Radio Web Streamer

Arbitrary File Upload in L.E.F. srl Radio Web Streamer 1.0 allows an  
authenticated attacker to upload arbitrary file on the target system, hence  
executing arbitrary command by uploading a PHP file.

**CVE-2020-23486**

L.E.F Radio Web Streamer

Unauthenticated Command Injection in L.E.F. srl Radio Web Streamer 1.0 allows  an attacker to execute arbitrary command on the target system.

**CVE-2020-14608**

Oracle Fusion Middleware MapViewer

This vulnerability allows unauthenticated attacker with network access via HTTP to create, delete, edit critical data and read accessible data.

**CVE-2020-14607**

Oracle Fusion Middleware MapViewer

This vulnerability allows unauthenticated attacker with network access via HTTP to update, insert, delete and partially read accessible data.

**CVE-2020-14997**

ASiM – Archimista

An Insecure Direct Object Reference (IDOR) in Archimista 3.1.0 allows authenticated attacker to read and export all the reports in the application.

**CVE-2020-14996**

ASiM – Archimista

An arbitrary file read in Archimista 3.1.0 allows remote attacker to read arbitrary files on the file system.

**CVE-2020-14995**

ASiM – Archimista

A SQL injection in Archimista 3.1.0 allows remote attacker to execute arbitrary query on the database via the “term” parameter.

**CVE-2020-14994**

ASiM – Archimista

A SQL injection in Archimista 3.1.0 allows remote attacker to execute arbitrary query on the database via the “order” parameter.

**CVE-2020-10785**

Targa Telematics

**CVE-2020-10784**

Targa Telematics

**CVE-2019-19866**

Atos Unify OpenScape UC Application

Atos Unify OpenScape UC Web Client V9 before version V9 R4.31.0 and V10 before version V10 R0.6.0 allows remote attackers to obtain sensitive information. By iterating the value of conferenceId to getMailFunction in the JSON API, one can enumerate all conferences scheduled on the platform, with their numbers and access PINs.

**CVE-2019-19865**

Atos Unify OpenScape UC Application

Atos Unify OpenScape UC Application V9 before version V9 R4.31.0 and V10 before version V10 R0.6.0 allows XSS. An attacker could exploit this by convincing an authenticated user to inject arbitrary JavaScript code in the Profile Name field. A browser would execute this stored XSS payload.

**CVE-2019-17227**

Atos Unify OpenScape UC Application

CVE-2021-36761: Advisory - Joshua CybeRiskVision

Ubuntu Security Notice 5485-1 - It was discovered that some Intel processors did not completely perform cleanup actions on multi-core shared buffers. A local attacker could possibly use this to expose sensitive information. It was discovered that some Intel processors did not completely perform cleanup actions on microarchitectural fill buffers. A local attacker could possibly use this to expose sensitive information. It was discovered that some Intel processors did not properly perform cleanup during specific special register write operations. A local attacker could possibly use this to expose sensitive information.

    ==========================================================================Ubuntu Security Notice USN-5485-1June 17, 2022linux, linux-aws, linux-aws-hwe, linux-aws-5.13, linux-aws-5.4,linux-azure, linux-azure-4.15, linux-azure-5.13, linux-azure-5.4,linux-azure-fde, linux-dell300x, linux-gcp, linux-gcp-4.15,linux-gcp-5.13, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop,linux-gkeop-5.4, linux-hwe, linux-hwe-5.13, linux-hwe-5.4, linux-ibm,linux-ibm-5.4, linux-intel-5.13, linux-intel-iotg, linux-kvm,linux-lowlatency, linux-oracle, linux-oracle-5.13, linux-oracle-5.4vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 21.10- Ubuntu 20.04 LTS- Ubuntu 18.04 LTS- Ubuntu 16.04 ESM- Ubuntu 14.04 ESMSummary:Several security issues were addressed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gke: Linux kernel for Google Container Engine (GKE) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-intel-iotg: Linux kernel for Intel IoT platforms- linux-kvm: Linux kernel for cloud environments- linux-lowlatency: Linux low latency kernel- linux-oracle: Linux kernel for Oracle Cloud systems- linux-aws-5.13: Linux kernel for Amazon Web Services (AWS) systems- linux-azure-5.13: Linux kernel for Microsoft Azure cloud systems- linux-azure-fde: Linux kernel for Microsoft Azure cloud systems- linux-gcp-5.13: Linux kernel for Google Cloud Platform (GCP) systems- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems- linux-hwe-5.13: Linux hardware enablement (HWE) kernel- linux-intel-5.13: Linux kernel for Intel IOTG- linux-oracle-5.13: Linux kernel for Oracle Cloud systems- linux-aws-5.4: Linux kernel for Amazon Web Services (AWS) systems- linux-azure-4.15: Linux kernel for Microsoft Azure Cloud systems- linux-azure-5.4: Linux kernel for Microsoft Azure cloud systems- linux-dell300x: Linux kernel for Dell 300x platforms- linux-gcp-4.15: Linux kernel for Google Cloud Platform (GCP) systems- linux-gcp-5.4: Linux kernel for Google Cloud Platform (GCP) systems- linux-gke-5.4: Linux kernel for Google Container Engine (GKE) systems- linux-gkeop-5.4: Linux kernel for Google Container Engine (GKE) systems- linux-hwe-5.4: Linux hardware enablement (HWE) kernel- linux-ibm-5.4: Linux kernel for IBM cloud systems- linux-oracle-5.4: Linux kernel for Oracle Cloud systems- linux-aws-hwe: Linux kernel for Amazon Web Services (AWS-HWE) systems- linux-hwe: Linux hardware enablement (HWE) kernelDetails:It was discovered that some Intel processors did not completely performcleanup actions on multi-core shared buffers. A local attacker couldpossibly use this to expose sensitive information. (CVE-2022-21123)It was discovered that some Intel processors did not completely performcleanup actions on microarchitectural fill buffers. A local attacker couldpossibly use this to expose sensitive information. (CVE-2022-21125)It was discovered that some Intel processors did not properly performcleanup during specific special register write operations. A local attackercould possibly use this to expose sensitive information. (CVE-2022-21166)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:  linux-image-5.15.0-1009-ibm     5.15.0-1009.11  linux-image-5.15.0-1010-gcp     5.15.0-1010.15  linux-image-5.15.0-1010-gke     5.15.0-1010.13  linux-image-5.15.0-1010-intel-iotg  5.15.0-1010.14  linux-image-5.15.0-1011-oracle  5.15.0-1011.15  linux-image-5.15.0-1012-azure   5.15.0-1012.15  linux-image-5.15.0-1012-kvm     5.15.0-1012.14  linux-image-5.15.0-1013-aws     5.15.0-1013.17  linux-image-5.15.0-39-generic   5.15.0-39.42  linux-image-5.15.0-39-generic-64k  5.15.0-39.42  linux-image-5.15.0-39-generic-lpae  5.15.0-39.42  linux-image-5.15.0-39-lowlatency  5.15.0-39.42  linux-image-5.15.0-39-lowlatency-64k  5.15.0-39.42  linux-image-aws                 5.15.0.1013.13  linux-image-azure               5.15.0.1012.11  linux-image-gcp                 5.15.0.1010.9  linux-image-generic             5.15.0.39.40  linux-image-generic-hwe-22.04   5.15.0.39.40  linux-image-generic-lpae        5.15.0.39.40  linux-image-generic-lpae-hwe-22.04  5.15.0.39.40  linux-image-gke                 5.15.0.1010.13  linux-image-gke-5.15            5.15.0.1010.13  linux-image-ibm                 5.15.0.1009.8  linux-image-intel-iotg          5.15.0.1010.10  linux-image-kvm                 5.15.0.1012.10  linux-image-lowlatency          5.15.0.39.38  linux-image-lowlatency-hwe-22.04  5.15.0.39.38  linux-image-oem-20.04           5.15.0.39.40  linux-image-oracle              5.15.0.1011.9  linux-image-virtual             5.15.0.39.40  linux-image-virtual-hwe-22.04   5.15.0.39.40Ubuntu 21.10:  linux-image-5.13.0-1030-kvm     5.13.0-1030.33  linux-image-5.13.0-1031-aws     5.13.0-1031.35  linux-image-5.13.0-1031-azure   5.13.0-1031.37  linux-image-5.13.0-1033-gcp     5.13.0-1033.40  linux-image-5.13.0-1036-oracle  5.13.0-1036.43  linux-image-5.13.0-51-generic   5.13.0-51.58  linux-image-5.13.0-51-generic-lpae  5.13.0-51.58  linux-image-5.13.0-51-lowlatency  5.13.0-51.58  linux-image-aws                 5.13.0.1031.29  linux-image-azure               5.13.0.1031.28  linux-image-gcp                 5.13.0.1033.28  linux-image-generic             5.13.0.51.57  linux-image-generic-lpae        5.13.0.51.57  linux-image-gke                 5.13.0.1033.28  linux-image-kvm                 5.13.0.1030.27  linux-image-lowlatency          5.13.0.51.57  linux-image-oem-20.04           5.13.0.51.57  linux-image-oracle              5.13.0.1036.33  linux-image-virtual             5.13.0.51.57Ubuntu 20.04 LTS:  linux-image-5.13.0-1017-intel   5.13.0-1017.19  linux-image-5.13.0-1031-aws     5.13.0-1031.35~20.04.1  linux-image-5.13.0-1031-azure   5.13.0-1031.37~20.04.1  linux-image-5.13.0-1033-gcp     5.13.0-1033.40~20.04.1  linux-image-5.13.0-1036-oracle  5.13.0-1036.43~20.04.1  linux-image-5.13.0-51-generic   5.13.0-51.58~20.04.1  linux-image-5.13.0-51-generic-64k  5.13.0-51.58~20.04.1  linux-image-5.13.0-51-generic-lpae  5.13.0-51.58~20.04.1  linux-image-5.13.0-51-lowlatency  5.13.0-51.58~20.04.1  linux-image-5.4.0-1028-ibm      5.4.0-1028.32  linux-image-5.4.0-1048-gkeop    5.4.0-1048.51  linux-image-5.4.0-1070-kvm      5.4.0-1070.75  linux-image-5.4.0-1076-gke      5.4.0-1076.82  linux-image-5.4.0-1078-oracle   5.4.0-1078.86  linux-image-5.4.0-1080-aws      5.4.0-1080.87  linux-image-5.4.0-1080-gcp      5.4.0-1080.87  linux-image-5.4.0-1085-azure    5.4.0-1085.90  linux-image-5.4.0-1085-azure-fde  5.4.0-1085.90+cvm1.1  linux-image-5.4.0-120-generic   5.4.0-120.136  linux-image-5.4.0-120-generic-lpae  5.4.0-120.136  linux-image-5.4.0-120-lowlatency  5.4.0-120.136  linux-image-aws                 5.13.0.1031.35~20.04.25  linux-image-aws-lts-20.04       5.4.0.1080.80  linux-image-azure               5.13.0.1031.37~20.04.20  linux-image-azure-fde           5.4.0.1085.90+cvm1.25  linux-image-azure-lts-20.04     5.4.0.1085.82  linux-image-gcp                 5.13.0.1033.40~20.04.1  linux-image-gcp-lts-20.04       5.4.0.1080.86  linux-image-generic             5.4.0.120.121  linux-image-generic-hwe-20.04   5.13.0.51.58~20.04.31  linux-image-generic-lpae        5.4.0.120.121  linux-image-generic-lpae-hwe-20.04  5.13.0.51.58~20.04.31  linux-image-gke                 5.4.0.1076.84  linux-image-gke-5.4             5.4.0.1076.84  linux-image-gkeop               5.4.0.1048.49  linux-image-gkeop-5.4           5.4.0.1048.49  linux-image-ibm                 5.4.0.1028.25  linux-image-ibm-lts-20.04       5.4.0.1028.25  linux-image-intel               5.13.0.1017.15  linux-image-kvm                 5.4.0.1070.67  linux-image-lowlatency          5.4.0.120.121  linux-image-lowlatency-hwe-20.04  5.13.0.51.58~20.04.31  linux-image-oem                 5.4.0.120.121  linux-image-oem-osp1            5.4.0.120.121  linux-image-oracle              5.13.0.1036.43~20.04.1  linux-image-oracle-lts-20.04    5.4.0.1078.76  linux-image-virtual             5.4.0.120.121  linux-image-virtual-hwe-20.04   5.13.0.51.58~20.04.31Ubuntu 18.04 LTS:  linux-image-4.15.0-1048-dell300x  4.15.0-1048.53  linux-image-4.15.0-1101-oracle  4.15.0-1101.112  linux-image-4.15.0-1122-kvm     4.15.0-1122.127  linux-image-4.15.0-1130-gcp     4.15.0-1130.146  linux-image-4.15.0-1136-aws     4.15.0-1136.147  linux-image-4.15.0-1145-azure   4.15.0-1145.160  linux-image-4.15.0-187-generic  4.15.0-187.198  linux-image-4.15.0-187-generic-lpae  4.15.0-187.198  linux-image-4.15.0-187-lowlatency  4.15.0-187.198  linux-image-5.4.0-1028-ibm      5.4.0-1028.32~18.04.1  linux-image-5.4.0-1048-gkeop    5.4.0-1048.51~18.04.1  linux-image-5.4.0-1076-gke      5.4.0-1076.82~18.04.1  linux-image-5.4.0-1078-oracle   5.4.0-1078.86~18.04.1  linux-image-5.4.0-1080-aws      5.4.0-1080.87~18.04.1  linux-image-5.4.0-1080-gcp      5.4.0-1080.87~18.04.1  linux-image-5.4.0-1085-azure    5.4.0-1085.90~18.04.1  linux-image-5.4.0-120-generic   5.4.0-120.136~18.04.1  linux-image-5.4.0-120-generic-lpae  5.4.0-120.136~18.04.1  linux-image-5.4.0-120-lowlatency  5.4.0-120.136~18.04.1  linux-image-aws                 5.4.0.1080.60  linux-image-aws-lts-18.04       4.15.0.1136.136  linux-image-azure               5.4.0.1085.62  linux-image-azure-lts-18.04     4.15.0.1145.115  linux-image-dell300x            4.15.0.1048.48  linux-image-gcp                 5.4.0.1080.61  linux-image-gcp-lts-18.04       4.15.0.1130.146  linux-image-generic             4.15.0.187.173  linux-image-generic-hwe-18.04   5.4.0.120.136~18.04.100  linux-image-generic-lpae        4.15.0.187.173  linux-image-generic-lpae-hwe-18.04  5.4.0.120.136~18.04.100  linux-image-gke-5.4             5.4.0.1076.82~18.04.38  linux-image-gkeop-5.4           5.4.0.1048.51~18.04.45  linux-image-ibm                 5.4.0.1028.42  linux-image-kvm                 4.15.0.1122.115  linux-image-lowlatency          4.15.0.187.173  linux-image-lowlatency-hwe-18.04  5.4.0.120.136~18.04.100  linux-image-oem                 5.4.0.120.136~18.04.100  linux-image-oem-osp1            5.4.0.120.136~18.04.100  linux-image-oracle              5.4.0.1078.86~18.04.55  linux-image-oracle-lts-18.04    4.15.0.1101.108  linux-image-snapdragon-hwe-18.04  5.4.0.120.136~18.04.100  linux-image-virtual             4.15.0.187.173  linux-image-virtual-hwe-18.04   5.4.0.120.136~18.04.100Ubuntu 16.04 ESM:  linux-image-4.15.0-1101-oracle  4.15.0-1101.112~16.04.1  linux-image-4.15.0-1130-gcp     4.15.0-1130.146~16.04.1  linux-image-4.15.0-1136-aws-hwe  4.15.0-1136.147~16.04.1  linux-image-4.15.0-1145-azure   4.15.0-1145.160~16.04.1  linux-image-4.15.0-187-generic  4.15.0-187.198~16.04.1  linux-image-4.15.0-187-lowlatency  4.15.0-187.198~16.04.1  linux-image-aws-hwe             4.15.0.1136.123  linux-image-azure               4.15.0.1145.132  linux-image-gcp                 4.15.0.1130.127  linux-image-generic-hwe-16.04   4.15.0.187.174  linux-image-gke                 4.15.0.1130.127  linux-image-lowlatency-hwe-16.04  4.15.0.187.174  linux-image-oem                 4.15.0.187.174  linux-image-oracle              4.15.0.1101.86  linux-image-virtual-hwe-16.04   4.15.0.187.174Ubuntu 14.04 ESM:  linux-image-4.15.0-1145-azure   4.15.0-1145.160~14.04.1  linux-image-azure               4.15.0.1145.114Please note that fully mitigating processor vulnerabilities requirescorresponding processor microcode/firmware updates.After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-5485-1  CVE-2022-21123, CVE-2022-21125, CVE-2022-21166Package Information:  https://launchpad.net/ubuntu/+source/linux/5.15.0-39.42  https://launchpad.net/ubuntu/+source/linux-aws/5.15.0-1013.17  https://launchpad.net/ubuntu/+source/linux-azure/5.15.0-1012.15  https://launchpad.net/ubuntu/+source/linux-gcp/5.15.0-1010.15  https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1010.13  https://launchpad.net/ubuntu/+source/linux-ibm/5.15.0-1009.11  https://launchpad.net/ubuntu/+source/linux-intel-iotg/5.15.0-1010.14  https://launchpad.net/ubuntu/+source/linux-kvm/5.15.0-1012.14  https://launchpad.net/ubuntu/+source/linux-lowlatency/5.15.0-39.42  https://launchpad.net/ubuntu/+source/linux-oracle/5.15.0-1011.15  https://launchpad.net/ubuntu/+source/linux/5.13.0-51.58  https://launchpad.net/ubuntu/+source/linux-aws/5.13.0-1031.35  https://launchpad.net/ubuntu/+source/linux-azure/5.13.0-1031.37  https://launchpad.net/ubuntu/+source/linux-gcp/5.13.0-1033.40  https://launchpad.net/ubuntu/+source/linux-kvm/5.13.0-1030.33  https://launchpad.net/ubuntu/+source/linux-oracle/5.13.0-1036.43  https://launchpad.net/ubuntu/+source/linux/5.4.0-120.136  https://launchpad.net/ubuntu/+source/linux-aws/5.4.0-1080.87  https://launchpad.net/ubuntu/+source/linux-aws-5.13/5.13.0-1031.35~20.04.1  https://launchpad.net/ubuntu/+source/linux-azure/5.4.0-1085.90  https://launchpad.net/ubuntu/+source/linux-azure-5.13/5.13.0-1031.37~20.04.1  https://launchpad.net/ubuntu/+source/linux-azure-fde/5.4.0-1085.90+cvm1.1  https://launchpad.net/ubuntu/+source/linux-gcp/5.4.0-1080.87  https://launchpad.net/ubuntu/+source/linux-gcp-5.13/5.13.0-1033.40~20.04.1  https://launchpad.net/ubuntu/+source/linux-gke/5.4.0-1076.82  https://launchpad.net/ubuntu/+source/linux-gkeop/5.4.0-1048.51  https://launchpad.net/ubuntu/+source/linux-hwe-5.13/5.13.0-51.58~20.04.1  https://launchpad.net/ubuntu/+source/linux-ibm/5.4.0-1028.32  https://launchpad.net/ubuntu/+source/linux-intel-5.13/5.13.0-1017.19  https://launchpad.net/ubuntu/+source/linux-kvm/5.4.0-1070.75  https://launchpad.net/ubuntu/+source/linux-oracle/5.4.0-1078.86  https://launchpad.net/ubuntu/+source/linux-oracle-5.13/5.13.0-1036.43~20.04.1  https://launchpad.net/ubuntu/+source/linux/4.15.0-187.198  https://launchpad.net/ubuntu/+source/linux-aws/4.15.0-1136.147  https://launchpad.net/ubuntu/+source/linux-aws-5.4/5.4.0-1080.87~18.04.1  https://launchpad.net/ubuntu/+source/linux-azure-4.15/4.15.0-1145.160  https://launchpad.net/ubuntu/+source/linux-azure-5.4/5.4.0-1085.90~18.04.1  https://launchpad.net/ubuntu/+source/linux-dell300x/4.15.0-1048.53  https://launchpad.net/ubuntu/+source/linux-gcp-4.15/4.15.0-1130.146  https://launchpad.net/ubuntu/+source/linux-gcp-5.4/5.4.0-1080.87~18.04.1  https://launchpad.net/ubuntu/+source/linux-gke-5.4/5.4.0-1076.82~18.04.1  https://launchpad.net/ubuntu/+source/linux-gkeop-5.4/5.4.0-1048.51~18.04.1  https://launchpad.net/ubuntu/+source/linux-hwe-5.4/5.4.0-120.136~18.04.1  https://launchpad.net/ubuntu/+source/linux-ibm-5.4/5.4.0-1028.32~18.04.1  https://launchpad.net/ubuntu/+source/linux-kvm/4.15.0-1122.127  https://launchpad.net/ubuntu/+source/linux-oracle/4.15.0-1101.112  https://launchpad.net/ubuntu/+source/linux-oracle-5.4/5.4.0-1078.86~18.04.1

Ubuntu Security Notice USN-5485-1

Vulnerability in the Oracle Cloud Infrastructure product of Oracle Cloud Services. Easily exploitable vulnerability allows high privileged attacker with network access to compromise Oracle Cloud Infrastructure. Successful attacks of this vulnerability can result in unauthorized access to Oracle Cloud Infrastructure accessible data. All affected customers were notified of CVE-2022-21503 by Oracle. CVSS 3.1 Base Score 4.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

Home nav

Oracle

Close Search

Search

Sign In

Back

*   
*   

*   Help
*   Sign Out

*    
*   

Close

*   
*   
*   &
*   
*   

*   
*   
*   
*

CVE-2022-21503: My Oracle Support

JForum v2.8.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via http://target_host:port/jforum-2.8.0/jforum.page, which allows attackers to arbitrarily add admin accounts.

**New and changed features in JForum 2.8.1**

Information about upgrading from JForum version 2.8.0 to 2.8.1 can be found at Upgrading to JForum 2.8.1

**New Features and fixes**

*   fixed CSRF vulnerability
*   more control over image attachments from _Configurations_ page
*   various font and background colors can be configured from the _Configurations_ page
*   optimize _Recent Topics_ and _Hot Topics_ for large installations
*   fixed issue where the _last visited time_ on the forum home page was not actually reflecting that, but the time of the last session start
*   switch Google Analytics integration from analytics.js to gtag.js

**Libraries**

*   updated Apache Lucene from 8.10.1 to 8.11.1
*   updated Apache PDFBox from 2.0.24 to 2.0.26
*   updated EventBus from 3.2.0 to 3.3.1
*   updated JDOM2 from 2.0.6 to 2.0.6.1
*   updated JSoup from 1.14.3 to 1.15.1
*   updated Microsoft SQLServer driver from 9.4.0 to 10.2.1
*   updated MySQL driver from 8.0.27 to 8.0.29
*   updated Oracle driver from 21.3.0.0 to 21.5.0.0
*   updated PrettyTime from 5.0.2 to 5.0.3
*   updated PostgreSQL driver from 42.3.1 to 42.3.6
*   updated slf4j from 1.7.32 to 1.7.36
*   added YAUAA 7.1.0 (instead of pieroxy) for user agent detection
*   updated several Maven plugins

**New Configurations**

Entry name

Default value

Description

attachments.images.thumb.hover.show

false

Whether to show the full-sized image as a popup when hovering over an image thumbnail. This causes all images to be downloaded in full size - which may not be wanted.

color.orange

#ffa34f

Orange font color

color.darkblue

#01336b

Dark blue font color

color.lightgray

#dee3e7

Light gray background color

color.verylight

#fafafa

Very light background color

color.quitelight

#f7f7f7

Quite light background color

**Database Schema**

These indexes speed up operations on large JForum installation, but are optional.

CREATE INDEX idx\_topics\_views ON jforum\_topics(topic\_views);  
CREATE INDEX idx\_topics\_replies ON jforum\_topics(topic\_replies);

Tag

#oracle