David Sullo

**Name of the Vulnerable Software and Affected Versions** Avi Alkalay contribute.cgi (aka contribute.pl) (affected versions not specified) **Description** A directory traversal issue allows remote attackers to overwrite arbitrary files by using ".." sequences in the `contribdir` variable. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** man-cgi script (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary code via shell metacharacters in the `topic` parameter. This is a result of a flaw in the man-cgi script. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Avi Alkalay notify program (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary commands via shell metacharacters in the `from` parameter. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Avi Alkalay nslookup.cgi program **Description** The issue allows remote attackers to execute arbitrary commands via shell metacharacters in the `query` parameter. **Recommendations** For the Avi Alkalay nslookup.cgi program, consider restricting access to the `query` parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Cyclades AlterPath Manager (APM) Console Server version 1.2.1 **Description** The issue allows remote attackers to obtain sensitive information by making a direct request to the "/about.html" API endpoint. **Recommendations** For version 1.2.1, consider restricting access to the "/about.html" page until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Cyclades AlterPath Manager (APM) Console Server version 1.2.1 **Description** The issue allows remote attackers to connect to arbitrary consoles by modifying the `consolename` parameter in the consoleConnect.jsp file. **Recommendations** For version 1.2.1, restrict access to the consoleConnect.jsp file to minimize the risk of exploitation, and avoid using the `consolename` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Cyclades AlterPath Manager (APM) Console Server version 1.2.1 **Description** The issue allows local users to gain privileges. This is achieved by setting the `adminUser` parameter to true in the 'saveUser.do' endpoint. **Recommendations** For version 1.2.1, avoid using the `adminUser` parameter in the 'saveUser.do' endpoint until the issue is resolved. Consider restricting access to the 'saveUser.do' endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** EasyWeb FileManager version 1.0 RC-1 **Description** The issue allows remote attackers to retrieve arbitrary files by exploiting a directory traversal vulnerability. This is achieved by using a .. (dot dot) in the `pathext` parameter. **Recommendations** For EasyWeb FileManager version 1.0 RC-1, consider restricting access to the `pathext` parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.