David Elze

**Name of the Vulnerable Software and Affected Versions** QNAP VioStor NVR devices with firmware 4.0.3 **Description** A cross-site request forgery (CSRF) issue affects the cgi-bin/create user.cgi endpoint, allowing remote attackers to hijack administrator authentication for creating administrative accounts via a NEW USER action. **Recommendations** For QNAP VioStor NVR devices with firmware 4.0.3, consider disabling access to the cgi-bin/create user.cgi endpoint until a patch is available to prevent exploitation of the CSRF issue.

**Name of the Vulnerable Software and Affected Versions** QNAP VioStor NVR devices version 4.0.3 QNAP NAS (affected versions not specified), specifically in the Surveillance Station Pro component **Description** The issue allows remote authenticated users to execute arbitrary commands. This is achieved by leveraging guest access and placing shell metacharacters in the query string of the 'cgi-bin/pingping.cgi' endpoint. **Recommendations** For QNAP VioStor NVR devices version 4.0.3, update the firmware to a version that addresses this issue. For QNAP NAS with the Surveillance Station Pro component, restrict access to the 'cgi-bin/pingping.cgi' endpoint until a fix is available. As a temporary workaround, consider disabling guest access to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** QNAP VioStor NVR devices version 4.0.3 QNAP NAS with Surveillance Station Pro component (affected versions not specified) **Description** The issue concerns a hardcoded guest account in the affected devices, allowing remote attackers to gain web-server login access. **Recommendations** For QNAP VioStor NVR devices version 4.0.3, consider changing the default guest account credentials as a temporary workaround. For QNAP NAS with Surveillance Station Pro component, restrict access to the Surveillance Station Pro component until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** AutoFORM PDM Archive versions prior to 7.0 **Description** The issue allows remote authenticated users to bypass intended access restrictions via the "/jmx-console" API endpoint, and then upload and execute arbitrary JSP code via a JBoss remote-deployment mechanism. **Recommendations** For versions prior to 7.0, update to version 7.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/jmx-console" API endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** AutoFORM PDM Archive versions prior to 6.920 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote authenticated users to inject arbitrary web script or HTML via unspecified fields. **Recommendations** For versions prior to 6.920, update to version 6.920 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** AutoFORM PDM Archive versions prior to 7.1 **Description** The issue concerns a lack of authorization requirements in the web service of the affected software. This allows remote authenticated users to perform database operations via a SOAP request. For example, this can be achieved through the "initializeQueryDatabase2" request. **Recommendations** For versions prior to 7.1, consider restricting access to the web service to minimize the risk of unauthorized database operations until a patch is available. As a temporary workaround, limit the ability to perform database operations via SOAP requests to only necessary users.

**Name of the Vulnerable Software and Affected Versions** AutoFORM PDM Archive versions prior to 7.1 **Description** The issue concerns the lack of authorization requirements for administrative functions, allowing remote authenticated users to perform administrative actions. This can be achieved by leveraging knowledge of a hidden function, such as the password-change function. **Recommendations** For versions prior to 7.1, update to version 7.1 or later to resolve the issue. As a temporary workaround, consider restricting access to administrative functions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** CollabNet ScrumWorks Pro versions prior to 6.0 **Description** The issue allows remote authenticated users to gain privileges and obtain sensitive information by utilizing a modified desktop client. **Recommendations** For versions prior to 6.0, update to version 6.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** HP Business Service Management (BSM) version 9.12 **Description** The issue allows remote attackers to execute arbitrary JSP code within the JBOSS Application Server component. This is achieved by uploading crafted .war files due to improper restrictions. The attack can be performed via a crafted request to TCP port 1098, 1099, or 4444. **Recommendations** For HP Business Service Management (BSM) version 9.12, restrict the uploading of .war files to prevent remote attackers from executing arbitrary JSP code. As a temporary workaround, consider restricting access to TCP ports 1098, 1099, and 4444 to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** CollabNet ScrumWorks Basic version 1.8.4 **Description** The issue allows context-dependent attackers to obtain sensitive information. This can be achieved by either sniffing the network for transmissions of Java objects or reading the database, as the software uses cleartext credentials for network communication and the internal database. **Recommendations** For CollabNet ScrumWorks Basic version 1.8.4, consider restricting access to the database and network transmissions to minimize the risk of exploitation. As a temporary workaround, restrict the use of cleartext credentials in network communication and the internal database until a more secure method is implemented.