Andrés Elizalde Galdeano

**Name of the Vulnerable Software and Affected Versions** Repbox (affected versions not specified) **Description** An unrestricted file upload vulnerability has been identified, allowing an attacker to upload malicious files via the `transforamationfileupload` function due to the lack of proper file type validation controls, resulting in a full system compromise. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Repox (affected versions not specified) **Description** An XEE vulnerability has been found in Repox, allowing a remote attacker to interfere with the application's XML data processing in the `fileupload` function. This results in interaction between the attacker and the server's file system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Repox (affected versions not specified) **Description** A path traversal vulnerability has been detected, allowing an attacker to read arbitrary files on the running server. This results in the disclosure of sensitive information, including application code or data, backend credentials, and operating system files. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Repox (affected versions not specified) **Description** An authentication bypass issue has been found, allowing a remote user to send a specially crafted POST request due to the lack of any authentication method. This results in the alteration or creation of users. The issue can be exploited by sending a specially crafted request to the affected system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Repox (affected versions not specified) **Description** An XSS issue has been detected, allowing an attacker to compromise interactions between a user and the vulnerable application. This can be exploited by a third party sending a specially crafted JavaScript payload to a user, thus gaining full control of their session. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Repox (affected versions not specified) **Description** A stored XSS vulnerability has been identified in Repox, allowing a local attacker to store a specially crafted JavaScript payload on the server due to the lack of proper sanitisation of field elements. This enables the attacker to trigger the malicious payload when the application loads. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ICS Business Manager version 7.06.0028.7066 **Description** A security issue has been identified, allowing a remote attacker to send a specially crafted string, exploiting the `obdd act` parameter. This could enable the attacker to steal an authenticated user's session and perform actions within the application. **Recommendations** For ICS Business Manager version 7.06.0028.7066, consider restricting access to the `obdd act` parameter until a patch is available. As a temporary workaround, avoid using the `obdd act` parameter in sensitive operations to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ICS Business Manager version 7.06.0028.7089 **Description** A SQL injection issue has been discovered, allowing a remote user to send a specially crafted SQL query to retrieve all database information. The data can also be modified or deleted, causing application malfunction. **Recommendations** For ICS Business Manager version 7.06.0028.7089, update to a version that includes a fix for this SQL injection issue to prevent potential data breaches and application malfunctions.