Benjamin Faller

Name of the Vulnerable Software and Affected Versions VertiGIS FM version 10.5.00119 (0d29d428) Description A local file inclusion issue exists in the upload/download functionality of VertiGIS FM. Authenticated attackers can read arbitrary files from the server by manipulating a file's path during upload. Downloading the file then returns the attacker-controlled file. The ASP.NET architecture may allow for remote code execution if the `web.config` file is obtained. UNC path resolution may also enable NTLM-relaying attacks. Recommendations Update to a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions VertiGIS FM (versões afetadas não especificadas) Description Uma vulnerabilidade de scripting cross-site refletido (XSS) existe na funcionalidade de pesquisa do painel de controle. Atacantes podem criar uma URL maliciosa que, quando visitada por um usuário autenticado, executa código JavaScript arbitrário dentro da sessão do usuário. Recommendations No momento, não há informações sobre uma versão mais recente que contenha uma correção para esta vulnerabilidade.

**Name of the Vulnerable Software and Affected Versions** TYDAC AG MAP+ version 3.4.0 **Description** A reflected cross-site scripting (XSS) flaw exists in the PDF export functionality. This allows unauthenticated attackers to create a malicious URL. If a victim accesses this URL, arbitrary JavaScript code can be executed within the victim’s browsing session. The malicious URL could be delivered through methods like sending a link or tricking a victim into visiting a crafted page. **Recommendations** TYDAC AG MAP+ version 3.4.0 should be updated to a fixed version. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PocketBook InkPad Color 3 version U743k3.6.8.3671 **Description** A privilege escalation issue in PocketBook InkPad Color 3 allows attackers to gain root privileges if they have physical access to the device. **Recommendations** For version U743k3.6.8.3671, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PocketBook InkPad Color 3 version U743k3.6.8.3671 **Description** A Sudo privilege misconfiguration issue allows attackers to read file contents on the device. **Recommendations** For version U743k3.6.8.3671, consider restricting Sudo privileges to minimize the risk of exploitation until a patch is available.