Łukasz Rybak

**Name of the Vulnerable Software and Affected Versions** 3onedata modbus gateway device model GW1101-1D(RS-485)-TB-P (hardware version V2.2.0) versions prior to 3.0.59B2024080600R4353 **Description** Authenticated users can execute arbitrary shell commands with root privileges. This is possible by providing a malicious payload in the "IP address" field of the diagnosis test tools. **Recommendations** Update to firmware version 3.0.59B2024080600R4353.

**Name of the Vulnerable Software and Affected Versions** October versions prior to 3.7.13 October versions 4.0.0 through 4.1.4 **Description** A sandbox bypass exists in the optional Twig safe mode feature `CMS SAFE MODE`. Certain methods on the `collect()` helper were not properly restricted, allowing authenticated users with template editing permissions to bypass sandbox protections. This issue only affects installations where `CMS SAFE MODE` is enabled, which is disabled by default, and requires authenticated backend access with CMS template editing permissions. **Recommendations** Update versions prior to 3.7.13 to 3.7.13. Update versions 4.0.0 through 4.1.4 to 4.1.5. Disable `CMS SAFE MODE` if untrusted template editing is not required. Restrict CMS template editing permissions to fully trusted administrators only.

**Name of the Vulnerable Software and Affected Versions** Omega-PSIR versions prior to 4.6.7 **Description** Omega-PSIR is susceptible to a Reflected Cross-Site Scripting (XSS) issue. An attacker can create a malicious URL utilizing the `lang` parameter. When a user opens this URL, it can lead to the execution of arbitrary JavaScript code within the user's browser. The vulnerable parameter is `lang`. The affected API endpoint is not specified. **Recommendations** Update Omega-PSIR to version 4.6.7 or later.