Sebastian Neuner

**Name of the Vulnerable Software and Affected Versions** KONE Group Controller (KGC) versions prior to 4.6.5 **Description** An issue was discovered that allows Denial of Service to occur through the open HTTP interface. **Recommendations** For versions prior to 4.6.5, update to version 4.6.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** KONE Group Controller (KGC) versions prior to 4.6.5 **Description** An issue allows unauthenticated Local File Inclusion and File modification through the open HTTP interface. This can be achieved by modifying the `name` parameter of the file endpoint. **Recommendations** For versions prior to 4.6.5, update to version 4.6.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the file endpoint to minimize the risk of exploitation. Avoid using the `name` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** KONE Group Controller (KGC) versions prior to 4.6.5 **Description** An issue allows unauthenticated remote code execution through the open HTTP interface by modifying `autoexec.bat`. **Recommendations** For versions prior to 4.6.5, update to version 4.6.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** IBM FlashSystem versions (affected versions not specified) **Description** The issue allows an authenticated attacker with specialized access to overwrite arbitrary files, potentially causing a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products versions 6.1 through 8.1.1 **Description** The issue allows unauthorized access to read arbitrary files from the system through the /DownloadFile web handler, which does not require authentication. **Recommendations** For versions 6.1 through 8.1.1, as a temporary workaround, consider restricting access to the /DownloadFile web handler until a patch is available.

**Name of the Vulnerable Software and Affected Versions** IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products versions 6.1 through 8.1.1 **Description** The issue allows an authenticated user to obtain sensitive information that they should not have authorization to read. **Recommendations** For versions 6.1 through 8.1.1, update to a version that contains a fix for this issue to prevent unauthorized access to sensitive information.

**Name of the Vulnerable Software and Affected Versions** IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products versions 6.1 through 8.1.1 **Description** The issue allows an authenticated user to access system files they should not have access to, including deleting files or causing a denial of service. **Recommendations** For versions 6.1 through 8.1.1, update to a version that contains a fix for this issue to prevent unauthorized access to system files and potential denial of service.

**Name of the Vulnerable Software and Affected Versions** IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products versions 6.1 through 8.1.1 **Description** This issue allows users to embed arbitrary JavaScript code in the Web UI, altering the intended functionality and potentially leading to credentials disclosure within a trusted session. **Recommendations** For versions 6.1 through 8.1.1, update to a version that includes the fix for this issue to prevent cross-site scripting attacks.