Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect IBM Business Automation Workflow due to July 2023 CPU

Summary There are multiple vulnerabilities in the IBM® SDK, Java™ Technology Edition that is shipped IBM Business Automation Workflow. CVE-2023-22045, CVE-2023-22049 Vulnerability Details CVEID:CVE-2023-22045 DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component could...

Security Bulletin: Weaker than expected security in Liberty may affect IBM Business Automation Workflow - CVE-2023-46158

Summary WebSphere Application Server Liberty profile is shipped as a component of IBM Business Automation Workflow Process Federation Server and User Management Service. IBM Business Automation Workflow Containers builds upon WebSphere Liberty. Information about a security vulnerability affecting...

Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Process Designer 8.5.7 shipped with IBM Business Automation Workflow

Summary There are multiple vulnerabilities in IBM® Runtime Environment Java™ Versions 8, which is used by the desktop version of IBM Process Designer 8.5.7 shipped with IBM Business Automation Workflow. IBM Process Designer has addressed the applicable CVEs. Vulnerability Details...

Incorrect Authorization

umbracocms is vulnerable to Incorrect Authorization. The vulnerability is due to ValidateUserAccess function in ContentSaveValidationAttribute.cs file not performing any checks for specific user permissions, as there is no differentiation between users with 'send for approval' permissions and tho...

Security Bulletin: Multipe vulnerabilities in DITA may affect IBM Business Automation Workflow Case Management docGenerator feature (CVE-2023-2976, CVE-2022-44729, CVE-2022-44730)

Summary IBM Business Automation Workflow provides a feature for generating "solution description documents" building upon an open source framework DITA. Vulnerabilities have been reported for open-source libraries repackaged by DITA. Vulnerability Details CVEID:CVE-2023-2976 DESCRIPTION: Google...

CVE-2023-44381

CVE-2023-44381 affects October CMS. Affected component: template rendering in the CMS where an authenticated backend user with editor.cms_pages, editor.cms_layouts, or editor.cms_partials permissions can craft a request to inject PHP code into a CMS template due to cms.safe_mode being enabled. Th...

CVE-2023-44383

October is a Content Management System CMS and web platform to assist with development workflow. A user with access to the media manager that stores SVG files could create a stored XSS attack against themselves and any other user with access to the media manager when SVG files are supported. This...

CVE-2023-44383

Summary: CVE-2023-44383 affects October CMS versions affected by stored XSS when SVGs are uploaded to the Media Manager. What’s affected: October CMS (versions 3.0–3.5.x per sources) where the media manager stores SVG files. Root cause: Inadequate validation/ sanitization of uploaded SVG content ...

CVE-2023-5921

Improper Enforcement of Behavioral Workflow vulnerability in DECE Software Geodi allows Functionality Bypass.This issue affects Geodi: before 8.0.0.27396...

CVE-2023-5921

Improper Enforcement of Behavioral Workflow vulnerability in DECE Software Geodi allows Functionality Bypass. This issue affects Geodi: before 8.0.0.27396...

CVE-2023-5921

Improper Enforcement of Behavioral Workflow vulnerability in DECE Software Geodi allows Functionality Bypass. This issue affects Geodi: before 8.0.0.27396...

CVE-2023-5921 Function Bypass in Geodi

Improper Enforcement of Behavioral Workflow vulnerability in DECE Software Geodi allows Functionality Bypass. This issue affects Geodi: before 8.0.0.27396...

CVE-2023-5921

CVE-2023-5921 affects DECE Software Geodi prior to version 8.0.0.27396. The issue is described as an improper enforcement of behavioral workflow that allows a functionality bypass . The material explicitly ties this to Geodi and a version boundary; no exploit details are provided. The recommended...

PT-2023-32420

Name of the Vulnerable Software and Affected Versions DECE Software Geodi versions prior to 8.0.0.27396 Description The issue is related to an Improper Enforcement of Behavioral Workflow vulnerability, which allows for Functionality Bypass in DECE Software Geodi. Recommendations For versions prio...

DECE Software Geodi Security Vulnerability

DECE Software Geodi is DECE Software's semantic search, GIS and discovery platform based on artificial intelligence and natural language processing. A security vulnerability exists in DECE Software Geodi versions prior to 8.0.0.27396 that stems from the presence of a behavioral workflow execution...

TorchServe ZipSlip

Impact Using the model/workflow management API, there is a chance of uploading potentially harmful archives that contain files that are extracted to any location on the filesystem that is within the process permissions. Leveraging this issue could aid third-party actors in hiding harmful code in...

GHSA-M2MJ-PR4F-H9JP TorchServe ZipSlip

Impact Using the model/workflow management API, there is a chance of uploading potentially harmful archives that contain files that are extracted to any location on the filesystem that is within the process permissions. Leveraging this issue could aid third-party actors in hiding harmful code in...

PyTorch Security Vulnerabilities

PyTorch is a Python package in the PyTorch open source. A security vulnerability exists in PyTorch Serve versions prior to 0.1.0 through 0.9.0, which stems from a security flaw in the model/workflow management API. An attacker can exploit this vulnerability to upload a harmful archive...

Security Bulletin: Cross-site scripting vulnerability affect IBM Business Automation Workflow - CVE-2023-35024

Summary IBM Business Automation Workflow is vulnerable to a Cross-site scripting attack. Vulnerability Details CVEID:CVE-2023-35024 DESCRIPTION: IBM Business Automation Workflow is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI...

ILIAS < 7.23, 8.x < 8.3 Multiple Vulnerabilities

ILIAS is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:ilias:ilias"; if description...