Ruslan Habalov

**Name of the Vulnerable Software and Affected Versions** Schneider Electric Wonderware InTouch Access Anywhere versions prior to 11.5.2 **Description** An Information Exposure issue allows credentials to be exposed to external systems via specific URL parameters. This is possible because arbitrary destination addresses may be specified, potentially leading to unauthorized access. **Recommendations** For versions prior to 11.5.2, update to a version newer than 11.5.2 to resolve the issue. As a temporary workaround, consider restricting access to sensitive URL parameters to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Schneider Electric Wonderware InTouch Access Anywhere versions prior to 11.5.2 **Description** The issue is related to inadequate encryption strength. Specifically, the software connects via Transport Layer Security without properly verifying the peer's SSL certificate. **Recommendations** For versions prior to 11.5.2, update to a version that properly verifies the peer's SSL certificate to ensure secure connections.

**Name of the Vulnerable Software and Affected Versions** PHP versions prior to 5.5.37 PHP versions 5.6.x prior to 5.6.23 PHP versions 7.x prior to 7.0.8 **Description** The issue is related to the improper interaction between the `php zip.c` component in the PHP zip extension and the unserialize implementation and garbage collection. This allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data containing a `ZipArchive` object. The vulnerability is related to the use of memory after it has been freed, which can be exploited by an attacker to execute arbitrary PHP code or cause a denial of service. **Recommendations** For PHP versions prior to 5.5.37, update to version 5.5.37 or later. For PHP versions 5.6.x prior to 5.6.23, update to version 5.6.23 or later. For PHP versions 7.x prior to 7.0.8, update to version 7.0.8 or later. As a temporary workaround, consider disabling the `ZipArchive` object in serialized data to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PHP versions prior to 5.5.37 PHP versions 5.6.x prior to 5.6.23 **Description** The issue is related to improper interaction between the SPL extension and the unserialize implementation, along with garbage collection. This can be exploited by remote attackers using crafted serialized data, potentially leading to the execution of arbitrary code or a denial of service, resulting in a use-after-free condition and application crash. **Recommendations** For PHP versions prior to 5.5.37, update to version 5.5.37 or later. For PHP versions 5.6.x prior to 5.6.23, update to version 5.6.23 or later.