Fabien Aunay

**Name of the Vulnerable Software and Affected Versions** ASTPP version 4.0.1 **Description** An information disclosure issue exists that allows unauthenticated attackers to download database backup files by predicting backup filename patterns. Attackers can generate a list of 6-digit PIN combinations and attempt to access the backup download URL to exfiltrate sensitive database information from the `/database backup/` directory. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ASTPP version 4.0.1 **Description** The software contains multiple security issues, including cross-site scripting and command injection within the SIP device configuration and plugin management interfaces. Successful exploitation could allow attackers to inject system commands and compromise administrator sessions. It may also be possible to execute arbitrary code with root permissions by manipulating cron tasks. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.