Eckert-Lcc

**Name of the Vulnerable Software and Affected Versions** Weaver OA versions up to 9.5 **Description** A problematic issue has been found in the file /E-mobile/App/System/File/downfile.php, where the manipulation of the `url` argument leads to absolute path traversal. This can be initiated remotely. The issue has been publicly disclosed and may be exploited. **Recommendations** For versions up to 9.5, as a temporary workaround, consider restricting access to the /E-mobile/App/System/File/downfile.php file until a patch is available. Avoid using the `url` argument in the affected file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Chengdu VEC40G version 3.0 **Description** A critical issue affects an unknown functionality of the file /send order.cgi?parameter=access detect in the Network Detection component. The manipulation of the `COUNT` argument with the input `3 | netstat -an` leads to os command injection. This issue can be exploited remotely. The exploit has been publicly disclosed. **Recommendations** For Chengdu VEC40G version 3.0, as a temporary workaround, consider restricting access to the `/send order.cgi?parameter=access detect` endpoint until a patch is available. Avoid using the `COUNT` argument in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.