Masamu Asato

**Nome do Software Vulnerável e Versões Afetadas** TimeWorks versões 10.0 a 10.3 **Descrição** O problema está relacionado à limitação inadequada de um caminho de acesso a um diretório restrito, também conhecido como 'Path Traversal'. Isso poderia permitir que um atacante remoto não autenticado acessasse arquivos JSON arbitrários no servidor. **Recomendações** Para as versões do TimeWorks de 10.0 a 10.3, considere restringir o acesso a diretórios e arquivos sensíveis para minimizar o risco de exploração até que um patch esteja disponível. No momento, não há informações sobre uma versão mais recente que contenha uma correção para esta vulnerabilidade.

Name of the Vulnerable Software and Affected Versions: BizRobo! (affected versions not specified) Description: The issue exists with the use of hard-coded cryptographic keys in BizRobo!. Credentials inside robot files may be obtained if the encryption key is available. The vendor provides workaround information and recommends applying it to the deployment environment. Recommendations: Apply the workaround provided by the vendor to the deployment environment. As a temporary workaround, consider restricting access to the robot files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Nome do Software Vulnerável e Versões Afetadas: FileMegane versões 1.0.0.0 até 3.4.0.0 Descrição: Existe uma vulnerabilidade de bypass de autenticação por spoofing, que pode levar à impersonificação de usuário. Se explorada, conteúdo de arquivos restritos pode ser acessado. Recomendações: Para as versões 1.0.0.0 até 3.4.0.0, atualize para a versão 3.4.0.0 ou posterior para resolver o problema. Como solução temporária, considere restringir o acesso a conteúdo de arquivos sensíveis até que a atualização seja aplicada.

Nome do Software Vulnerável e Versões Afetadas: Versões do FileMegane de 3.0.0.0 a 3.4.0.0 Descrição: O problema ocorre devido a uma vulnerabilidade de Server-Side Request Forgery (SSRF). Isso pode permitir a execução de solicitações arbitrárias à Web API de backend, potencialmente levando à reinicialização dos serviços. Recomendações: Para as versões de 3.0.0.0 a 3.4.0.0, atualize para a versão 3.4.0.0 ou posterior para resolver o problema. Como solução temporária, considere restringir o acesso às solicitações da Web API de backend até que um patch esteja disponível.

**Name of the Vulnerable Software and Affected Versions** MAHO-PBX NetDevancer Lite/Uni/Pro/Cloud versions prior to 1.11.00 MAHO-PBX NetDevancer VSG Lite/Uni versions prior to 1.11.00 MAHO-PBX NetDevancer MobileGate Home/Office versions prior to 1.11.00 **Description** The issue allows a remote unauthenticated attacker to execute an arbitrary OS command. **Recommendations** For MAHO-PBX NetDevancer Lite/Uni/Pro/Cloud versions prior to 1.11.00, update to version 1.11.00 or later. For MAHO-PBX NetDevancer VSG Lite/Uni versions prior to 1.11.00, update to version 1.11.00 or later. For MAHO-PBX NetDevancer MobileGate Home/Office versions prior to 1.11.00, update to version 1.11.00 or later.

**Name of the Vulnerable Software and Affected Versions** MAHO-PBX NetDevancer Lite/Uni/Pro/Cloud versions prior to 1.11.00 MAHO-PBX NetDevancer VSG Lite/Uni versions prior to 1.11.00 MAHO-PBX NetDevancer MobileGate Home/Office versions prior to 1.11.00 **Description** The issue allows a remote authenticated attacker with administrative privilege to execute an arbitrary OS command. **Recommendations** For MAHO-PBX NetDevancer Lite/Uni/Pro/Cloud versions prior to 1.11.00, update to version 1.11.00 or later. For MAHO-PBX NetDevancer VSG Lite/Uni versions prior to 1.11.00, update to version 1.11.00 or later. For MAHO-PBX NetDevancer MobileGate Home/Office versions prior to 1.11.00, update to version 1.11.00 or later.

**Name of the Vulnerable Software and Affected Versions** MAHO-PBX NetDevancer Lite/Uni/Pro/Cloud versions prior to 1.11.00 MAHO-PBX NetDevancer VSG Lite/Uni versions prior to 1.11.00 MAHO-PBX NetDevancer MobileGate Home/Office versions prior to 1.11.00 **Description** A cross-site request forgery (CSRF) issue allows a remote unauthenticated attacker to hijack user authentication and conduct unintended operations by having a user view a malicious page while logged in. **Recommendations** For MAHO-PBX NetDevancer Lite/Uni/Pro/Cloud versions prior to 1.11.00, update to version 1.11.00 or later. For MAHO-PBX NetDevancer VSG Lite/Uni versions prior to 1.11.00, update to version 1.11.00 or later. For MAHO-PBX NetDevancer MobileGate Home/Office versions prior to 1.11.00, update to version 1.11.00 or later.

**Name of the Vulnerable Software and Affected Versions** MAHO-PBX NetDevancer series versions prior to 1.11.00 MAHO-PBX NetDevancer VSG Lite/Uni versions prior to 1.11.00 MAHO-PBX NetDevancer MobileGate Home/Office versions prior to 1.11.00 **Description** A reflected cross-site scripting issue allows a remote unauthenticated attacker to inject an arbitrary script. **Recommendations** For MAHO-PBX NetDevancer series versions prior to 1.11.00, update to version 1.11.00 or later. For MAHO-PBX NetDevancer VSG Lite/Uni versions prior to 1.11.00, update to version 1.11.00 or later. For MAHO-PBX NetDevancer MobileGate Home/Office versions prior to 1.11.00, update to version 1.11.00 or later.

**Name of the Vulnerable Software and Affected Versions** baserCMS plugin Uploader versions 3.0.10 and earlier **Description** A cross-site request forgery (CSRF) issue allows remote attackers to hijack the authentication of administrators. **Recommendations** For baserCMS plugin Uploader versions 3.0.10 and earlier, update to a version later than 3.0.10 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** baserCMS versions 3.0.10 and earlier **Description** A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML. **Recommendations** For versions 3.0.10 and earlier, update to a version later than 3.0.10 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** baserCMS versions 3.0.10 and earlier **Description** A cross-site request forgery issue allows remote attackers to hijack the authentication of administrators. **Recommendations** For versions 3.0.10 and earlier, update to a version later than 3.0.10 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** baserCMS plugin Feed versions 3.0.10 and earlier **Description** A cross-site request forgery (CSRF) issue allows remote attackers to hijack the authentication of administrators. This is achieved via unspecified vectors. **Recommendations** For baserCMS plugin Feed versions 3.0.10 and earlier, update to a version later than 3.0.10 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** baserCMS plugin Mail versions 3.0.10 and earlier **Description** A cross-site request forgery (CSRF) issue allows remote attackers to hijack the authentication of administrators. **Recommendations** For versions 3.0.10 and earlier, update to a version later than 3.0.10 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** baserCMS plugin Blog versions 3.0.10 and earlier **Description** A cross-site request forgery (CSRF) issue allows remote attackers to hijack the authentication of administrators via unspecified vectors. **Recommendations** For versions 3.0.10 and earlier, update to a version later than 3.0.10 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Script* Log-Chat versions prior to 2.0 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML. **Recommendations** For versions prior to 2.0, update to version 2.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** JOB-CUBE -JOB WEB SYSTEM versions prior to 1.2.2 -JOB WEB SYSTEM High Income versions prior to 1.0.6 **Description** A cross-site scripting (XSS) issue allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. **Recommendations** For JOB-CUBE -JOB WEB SYSTEM versions prior to 1.2.2, update to version 1.2.2 or later. For -JOB WEB SYSTEM High Income versions prior to 1.0.6, update to version 1.0.6 or later.