Özkan Mustafa Akkuş

**Nome do software vulnerável e versões afetadas** Servisnet Tessa versão 0.0.2 **Descrição** Foi descoberta uma vulnerabilidade que permite que um invasor obtenha informações confidenciais. Isso pode ser feito por meio de uma solicitação “/js/app.js”. **Recomendações** Para o Servisnet Tessa versão 0.0.2, considere restringir o acesso ao endpoint “/js/app.js” até que uma correção esteja disponível.

**Nome do software vulnerável e versões afetadas** Servisnet Tessa versão 0.0.2 **Descrição** Foi descoberta uma falha na qual dados de autorização ficam disponíveis por meio de uma solicitação não autenticada ao endpoint da API “/data-service/users/”. **Recomendações** Para o Servisnet Tessa versão 0.0.2, considere restringir o acesso ao endpoint da API “/data-service/users/” para impedir o acesso não autorizado aos dados de autorização até que uma correção esteja disponível.

**Nome do software vulnerável e versões afetadas** Servisnet Tessa versão 0.0.2 **Descrição** Foi descoberta uma falha que permite que um invasor adicione um novo usuário sysadmin por meio da manipulação do cabeçalho HTTP `Authorization`. **Recomendações** Para o Servisnet Tessa versão 0.0.2, considere restringir o acesso ao cabeçalho HTTP Authorization para impedir a manipulação até que uma correção esteja disponível. No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.

**Nome do software vulnerável e versões afetadas** Versões do Ericsson Network Location anteriores a 31/07/2021 **Descrição** A vulnerabilidade permite que um invasor autenticado injete comandos por meio do parâmetro `file name` na funcionalidade de exportação. Isso poderia ser usado para criar um novo usuário administrador. **Recomendações** Para versões anteriores a 31/07/2021, considere restringir o acesso à funcionalidade de exportação até que uma correção esteja disponível. Como solução alternativa temporária, evite usar o parâmetro `file name` na funcionalidade de exportação para minimizar o risco de exploração. No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.

**Nome do software vulnerável e versões afetadas** Netsia SEBA+ versões 0.16.1 e anteriores, especificamente a compilação 70-e669dcd7 **Descrição** A vulnerabilidade permite que invasores remotos descubram cookies de sessão por meio de uma solicitação direta ao endpoint da API “/session/list/allActiveSession”. Isso pode levar à descoberta do cookie do administrador se a conta de administrador estiver conectada no momento da solicitação, permitindo que o invasor use esse cookie imediatamente para obter acesso de administrador. **Recomendações** Para as versões 0.16.1 e anteriores do Netsia SEBA+, considere restringir o acesso ao endpoint da API “/session/list/allActiveSession” para minimizar o risco de exploração. Como solução temporária, limite o uso de contas de administrador quando a solicitação allActiveSession puder ocorrer. No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.

**Nome do software vulnerável e versões afetadas** BT CTROMS Terminal OS Port Portal CT-464 **Descrição** Uma falha no recurso de redefinição de senha permite a apropriação de conta por meio da divulgação do token de verificação. Quando é feita uma solicitação ao getverificationcode.jsp, o token é enviado não apenas para o número de telefone registrado do usuário, mas também para o cliente HTTP não autenticado. **Recomendações** Para o BT CTROMS Terminal OS Port Portal CT-464, considere desativar temporariamente o recurso de redefinição de senha até que uma correção esteja disponível para evitar a apropriação de contas. Restrinja o acesso à solicitação getverificationcode.jsp para minimizar o risco de exploração.

**Name of the Vulnerable Software and Affected Versions** Zoho ManageEngine Application Manager versions through 14.2 **Description** A SQL Injection issue exists in the jsp/NewThresholdConfiguration.jsp file via the `resourceid` parameter, allowing a low-authority user to gain SYSTEM authority on the server. This can lead to uploading a malicious file using the "Execute Program Action(s)" feature. **Recommendations** For Zoho ManageEngine Application Manager versions through 14.2, avoid using the `resourceid` parameter in the jsp/NewThresholdConfiguration.jsp file until a fix is available. As a temporary workaround, consider restricting access to the "Execute Program Action(s)" feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Webmin versions 1.882 through 1.921 **Description** The issue is related to a command injection vulnerability in the password change.cgi component of Webmin. This vulnerability allows a remote attacker to execute arbitrary code on the target system by sending a malicious POST request. The `old` parameter in password change.cgi contains a command injection vulnerability. The exploitation of this vulnerability may allow an attacker to gain access to the system with root privileges. **Recommendations** For Webmin versions 1.882 through 1.921, update to a version later than 1.921 to resolve the issue. As a temporary workaround, consider restricting access to the password change.cgi component to minimize the risk of exploitation. Avoid using the `old` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Zoho ManageEngine OpManager versions prior to build 14310 **Description** An issue allows bypassing the user password requirement, enabling command execution on the server. The password is constructed by appending '@opm' to the `username`. For instance, if the `username` is 'admin', the password would be 'admin@opm'. **Recommendations** For versions prior to build 14310, update to a version that includes the fix for this issue to prevent password bypass and unauthorized command execution. As a temporary workaround, consider restricting access to the server to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Zoho ManageEngine OpManager versions prior to 12.5 **Description** A SQL Injection issue exists in the jsp/NewThresholdConfiguration.jsp file via the `resourceid` parameter, allowing a low-authority user to gain SYSTEM authority on the server. This can lead to uploading malicious files using the "Execute Program Action(s)" feature. **Recommendations** For Zoho ManageEngine OpManager versions prior to 12.5, as a temporary workaround, consider restricting access to the jsp/NewThresholdConfiguration.jsp file and the "Execute Program Action(s)" feature until a patch is available. Avoid using the `resourceid` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Sahi Pro version 8.0.0 **Description** The issue allows command execution via the `Player setScriptFile` function in Sahi Pro. This enables running `.sah` scripts through Sahi Launcher and creating new scripts with an editor. It is also possible to execute commands on the server using the `execute()` function. **Recommendations** For Sahi Pro version 8.0.0, consider disabling the `execute()` function as a temporary workaround until a patch is available. Restrict access to the `Player setScriptFile` function to minimize the risk of exploitation. Avoid using the `Player setScriptFile` function in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** AROX School-ERP Pro (affected versions not specified) **Description** The issue concerns a command execution vulnerability. Specifically, the `import stud.php` and `upload file.php` files lack session control, allowing an unauthenticated user to execute commands on the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Webmin versions prior to 1.910 **Description** The issue allows any user authorized to the "Package Updates" module to execute arbitrary commands with root privileges. This is achieved via the `data` parameter to the "update.cgi" endpoint. **Recommendations** For versions prior to 1.910, update to version 1.910 or later to resolve the issue. As a temporary workaround, consider restricting access to the "Package Updates" module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PHP-Fusion version 9.03.00 **Description** The issue allows remote authenticated users to execute arbitrary code. This is due to the mishandling of executable files during avatar upload in the includes/dynamics/includes/form fileinput.php and includes/classes/PHPFusion/Installer/Lib/Core.settings.inc files. **Recommendations** For PHP-Fusion version 9.03.00, consider disabling the avatar upload feature until a patch is available to prevent the execution of arbitrary code. Restrict access to the edit profile.php file to minimize the risk of exploitation. Avoid using the vulnerable files includes/dynamics/includes/form fileinput.php and includes/classes/PHPFusion/Installer/Lib/Core.settings.inc until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Allied Telesis 8100L/8 devices (affected versions not specified) Description: The issue allows for cross-site scripting (XSS) attacks. This is possible due to the lack of proper input validation in the `vlanid` or `subnet mask` parameters within the `edit-ipv4 interface.php` endpoint. Recommendations: For Allied Telesis 8100L/8 devices, as a temporary workaround, consider restricting access to the `edit-ipv4 interface.php` endpoint until a patch is available. Avoid using the `vlanid` or `subnet mask` parameters in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** osTicket versions prior to 1.12 **Description** The issue exists due to the possibility of XSS via several API endpoints, including "/upload/file.php", "/upload/scp/users.php?do=import-users", and "/upload/scp/ajax.php/users/import", when an agent manager user uploads a crafted .csv file to the User Importer. This occurs because file contents can appear in an error message, potentially leading to local file inclusion. **Recommendations** For versions prior to 1.12, update to version 1.12 or later to resolve the issue. As a temporary workaround, consider restricting access to the User Importer feature to minimize the risk of exploitation. Avoid using the User Importer to upload .csv files from untrusted sources until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Zoho ManageEngine Applications Manager versions 12 through 14 **Description** The issue allows for SQL injection via the FaultTemplateOptions.jsp resourceid. This can be exploited by an unauthenticated user to gain SYSTEM authority on the server. The exploitation involves uploading a malicious file using the "Execute Program Action(s)" feature. **Recommendations** For versions 12 through 14, update to a version that contains a fix for this issue to prevent SQL injection and unauthorized access. As a temporary workaround, consider restricting access to the "Execute Program Action(s)" feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ATutor versions prior to 2.2.5 **Description** An issue in ATutor allows a user with teacher privileges to run commands on the server. The File Manager's Upload Files section contains an arbitrary file upload vulnerability via the "upload.php" endpoint. The `$IllegalExtensions` value is case-sensitive and only lists lowercase extensions, which can be bypassed by using uppercase extensions (e.g., `.phP`). Additionally, the value omits `.shtml` and `.phtml` extensions. **Recommendations** For ATutor versions prior to 2.2.5, update to version 2.2.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the Upload Files section in the File Manager to prevent exploitation. Additionally, modify the `$IllegalExtensions` value to include both lowercase and uppercase extensions, as well as `.shtml` and `.phtml` extensions, to prevent bypasses.

**Name of the Vulnerable Software and Affected Versions** CutePHP CuteNews version 2.1.2 **Description** An issue allows an attacker to infiltrate the server through the avatar upload process in the profile area via the "index.php?mod=main&opt=personal" endpoint, by exploiting the `avatar file` field. The lack of effective control of `$imgsize` in `/core/modules/dashboard.php` enables an attacker to change the header content of a file, bypass controls, and potentially achieve code execution, for example, by using a GIF header. **Recommendations** For CutePHP CuteNews version 2.1.2, consider disabling the avatar upload feature in the profile area until a patch is available to prevent exploitation through the `avatar file` field in the "index.php?mod=main&opt=personal" endpoint. Restrict access to the `/core/modules/dashboard.php` module to minimize the risk of exploitation related to the `$imgsize` variable.

**Name of the Vulnerable Software and Affected Versions** OpenKM versions 6.3.2 through 6.3.7 **Description** The issue allows an attacker to upload a malicious JSP file into the /okm:root directories and move that file to the home directory of the site. This is achieved by exploiting the Filesystem path control in the admin's Export field, specifically through the frontend/FileUpload and admin/repository export.jsp. As a result, attackers can gain remote code execution through the application server with root privileges. **Recommendations** For OpenKM versions 6.3.2 through 6.3.7, consider restricting access to the frontend/FileUpload and admin/repository export.jsp endpoints to minimize the risk of exploitation. Additionally, restrict the ability to upload and move files within the /okm:root directories to prevent malicious file uploads. At the moment, there is no information about a newer version that contains a fix for this vulnerability.