Abotzung

**Name of the Vulnerable Software and Affected Versions** FOG Server versions prior to 1.5.10.41.3 FOG Server versions prior to 1.6.0-beta.1395 **Description** The issue concerns a cloning/imaging/rescue suite/inventory management system where a specific version of the FOG Server can leak AD username and password when registering a computer. **Recommendations** For FOG Server version 1.5.10.41.2, update to version 1.5.10.41.3 to resolve the issue. For versions prior to 1.6.0-beta.1395, update to version 1.6.0-beta.1395 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** FOG Server versions 1.5.10.41.4 and earlier **Description** The issue concerns the exposure of sensitive information via logs stored on the web server. Specifically, FOG Server creates two logs, `fog login accepted.log` and `fog login failed.log`, on the root of the web server, which can leak authorized and rejected logins. These logs contain the name of the user account used to manage FOG, the IP address of the computer used to login, and the User-Agent. **Recommendations** For FOG Server versions 1.5.10.41.4 and earlier, update to version 1.5.10.47 or later to fix the issue. As a temporary workaround, consider restricting access to the `fog login accepted.log` and `fog login failed.log` files to minimize the risk of exploitation.