Singularitysec

**Name of the Vulnerable Software and Affected Versions** Datto ALTO and SIRIS devices (affected versions not specified) **Description** The issue allows for Remote Code Execution via unauthenticated requests to PHP scripts. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BrightSign Digital Signage (4k242) device versions 6.2.63 and below **Description** The issue concerns a problem where an attacker can execute malicious scripts. The estimated number of potentially affected devices worldwide is not specified. Details about real-world incidents where this issue was exploited are not provided. Technical details about exploitation include the API endpoint /network diagnostics.html or /storage info.html, and the vulnerable parameter `REF`. **Recommendations** For versions 6.2.63 and below, avoid using the `REF` parameter in the affected API endpoints /network diagnostics.html and /storage info.html until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** BrightSign Digital Signage (4k242) versions 6.2.63 and below **Description** The issue allows renaming and modifying files via the "/tools.html" API endpoint. **Recommendations** For versions 6.2.63 and below, consider restricting access to the "/tools.html" endpoint until a fix is available.

**Name of the Vulnerable Software and Affected Versions** BrightSign Digital Signage (4k242) versions 6.2.63 and below **Description** The issue allows directory traversal via the "/storage.html" API endpoint, specifically through the `rp` parameter. This enables an attacker to read or write to files. **Recommendations** For versions 6.2.63 and below, consider restricting access to the "/storage.html" API endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the `rp` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Thomson Reuters Fixed Assets CS versions 13.1.4 and earlier **Description** The issue concerns weak permissions set by the installer for the connectgdll.exe program, allowing local users to execute arbitrary code by modifying this program. **Recommendations** For versions 13.1.4 and earlier, consider restricting access to the connectgdll.exe program to prevent local users from modifying it until a fix is available.

**Name of the Vulnerable Software and Affected Versions** CCH Wolters Kluwer ProSystem fx Engagement (aka PFX Engagement) versions 7.1 and earlier **Description** The issue concerns weak permissions for certain service files, specifically `Pfx.Engagement.WcfServices`, `PFXEngDesktopService`, `PFXSYNPFTService`, and `P2EWinService`, which are set to allow Authenticated Users to modify and write. This weakness can be exploited by local users to gain LocalSystem privileges through the use of a Trojan horse file. **Recommendations** For versions 7.1 and earlier, consider restricting the permissions of the service files `Pfx.Engagement.WcfServices`, `PFXEngDesktopService`, `PFXSYNPFTService`, and `P2EWinService` to prevent unauthorized modifications. As a temporary workaround, monitor these files closely for any suspicious activity until a more permanent solution is available.