Thomas Fischer

**Name of the Vulnerable Software and Affected Versions** Autodesk VRED Professional 2014 versions before SR1 SP8 **Description** The issue allows remote attackers to execute arbitrary code via Python `os` library calls in Python API commands to the integrated web server. **Recommendations** For Autodesk VRED Professional 2014 versions before SR1 SP8, update to SR1 SP8 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Caldera version 9.20 **Description** A directory traversal issue exists, allowing remote attackers to access arbitrary directories by providing a crafted pathname in dirmng/index.php. **Recommendations** For Caldera version 9.20, update the dirmng/index.php file to properly sanitize and validate user-inputted pathnames to prevent directory traversal attacks. As a temporary workaround, consider restricting access to the dirmng/index.php file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Caldera version 9.20 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the `tr` parameter to specific API endpoints, such as "costview2/jobs.php" or "costview2/printers.php". **Recommendations** For version 9.20, consider restricting access to the vulnerable API endpoints "costview2/jobs.php" and "costview2/printers.php" to minimize the risk of exploitation. Avoid using the `tr` parameter in these endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.