Adam Merrill

**Name of the Vulnerable Software and Affected Versions** Newforma Info Exchange (NIX) versions prior to 2023.1 **Description** Newforma Info Exchange (NIX) versions prior to 2023.1, by default, permit anonymous authentication. This allows an unauthenticated attacker to exploit further issues that typically require authentication. **Recommendations** Update to version 2023.1 or later.

**Name of the Vulnerable Software and Affected Versions** Newforma Info Exchange (affected versions not specified) **Description** Newforma Info Exchange accepts serialized .NET data via the `/remoteweb/remote.rem` API endpoint without proper validation. This allows a remote, unauthenticated attacker to execute arbitrary code with 'NT AUTHORITYNetworkService' privileges. A compromised Newforma Info Exchange system can be used to attack an associated Newforma Project Center Server system. The vulnerable endpoint, `/remoteweb/remote.rem`, is used by Newforma Project Center Server. **Recommendations** Restrict network access to the `/remoteweb/remote.rem` endpoint.

**Name of the Vulnerable Software and Affected Versions** Newforma Project Center Server (NPCS) (affected versions not specified) **Description** Newforma Project Center Server (NPCS) allows a remote, unauthenticated attacker to execute arbitrary code with 'NT AUTHORITYNetworkService' privileges. This is possible because the software accepts serialized .NET data via the `/ProjectCenter.rem` API endpoint on port 9003/tcp. The vulnerable endpoint is intended to be accessible only on an internal network according to the recommended architecture. The vulnerable parameter is the serialized .NET data sent to the `/ProjectCenter.rem` endpoint. **Recommendations** Restrict network access to Newforma Project Center Server (NPCS).

**Name of the Vulnerable Software and Affected Versions** Newforma Info Exchange (NIX) versions 2023.3 and 2024.1 **Description** Newforma Info Exchange (NIX) utilizes a hard-coded key for encrypting query parameters. Certain encrypted parameter values can define file paths for download, potentially circumventing authentication and authorization mechanisms. The `/DownloadWeb/download.aspx` endpoint is affected, specifically the `qs` parameter. The shared hard-coded key is consistent across different NIX installations. **Recommendations** Newforma Info Exchange version 2023.3 limits the use of hard-coded keys. Newforma Info Exchange version 2024.1 limits the use of hard-coded keys.

**Name of the Vulnerable Software and Affected Versions** Newforma Info Exchange (NIX) versions prior to 2023.1 **Description** Newforma Info Exchange (NIX) allows authenticated users to read and delete arbitrary files with 'NT AUTHORITYNetworkService' privileges through requests to the `/UserWeb/Common/MarkupServices.ashx` endpoint specifying the `DownloadExportedPDF` command. Prior to version 2023.1, anonymous access is enabled by default, allowing unauthenticated attackers to exploit this functionality by effectively authenticating as 'anonymous'. The vulnerable endpoint is `/UserWeb/Common/MarkupServices.ashx` and the vulnerable command is `DownloadExportedPDF`. **Recommendations** Update to version 2023.1 or later. Disable anonymous access to the application.

**Name of the Vulnerable Software and Affected Versions** Newforma Info Exchange (NIX) (affected versions not specified) **Description** Newforma Info Exchange (NIX) stores credentials used to configure NPCS in the registry location 'HKLMSoftwareWOW6432NodeNewforma`version`Credentials'. These credentials are encrypted, but the encryption key is also stored in the same registry location. Authenticated users can access both the credentials and the encryption key. If these are Active Directory credentials, an attacker may be able to gain access to additional systems and resources. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Newforma Info Exchange (NIX) versions prior to 2023.1 **Description** Newforma Info Exchange (NIX) contains a flaw in the `/UserWeb/Common/UploadBlueimp.ashx` API endpoint that allows an authenticated attacker to upload arbitrary files to any location writable by the NIX application. This can lead to the execution of a web shell or other executable content by the web server, as well as the deletion of directories. In versions prior to 2023.1, anonymous access is enabled by default, allowing unauthenticated attackers to exploit this file upload issue by effectively authenticating as 'anonymous'. The vulnerable parameter is not specified. **Recommendations** Versions prior to 2023.1 should be updated to version 2023.1 or later.

**Name of the Vulnerable Software and Affected Versions** Newforma Info Exchange (NIX) (affected versions not specified) **Description** The software contains a flaw in the '/UserWeb/Common/MarkupServices.ashx' endpoint, specifically within the `StreamStampImage` function. This function processes encrypted file paths and returns an image of the specified file. An attacker can potentially read files by providing an encrypted path. The `StreamStampImage` function is vulnerable to unauthorized file access. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Newforma Info Exchange (NIX) (affected versions not specified) **Description** Newforma Info Exchange (NIX) contains a flaw in the '/RemoteWeb/IntegrationServices.ashx' endpoint. An unauthenticated, remote attacker can exploit this to force NIX to establish an SMB connection to a system controlled by the attacker. This allows the attacker to capture the NTLMv2 hash of the NIX service account. The vulnerable endpoint is `/RemoteWeb/IntegrationServices.ashx`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Newforma Info Exchange (NIX) (affected versions not specified) **Description** Newforma Info Exchange (NIX) contains a flaw in the '/UserWeb/Common/MarkupServices.ashx' endpoint that allows a remote, unauthenticated attacker to force NIX to establish a Server Message Block (SMB) connection to a system controlled by the attacker. This enables the attacker to capture the NTLMv2 hash of the NIX service account as it is configured by the customer. The affected `endpoint` is '/UserWeb/Common/MarkupServices.ashx'. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Newforma Info Exchange (NIX) (affected versions not specified) **Description** The software contains an unauthenticated URL redirect issue via the `/DownloadWeb/hyperlinkredirect.aspx` API endpoint. The `nhl` parameter is susceptible to manipulation, allowing an attacker to redirect a user to a malicious URL. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Newforma Info Exchange (NIX) (affected versions not specified) **Description** Newforma Info Exchange (NIX) includes a 'Send a File Transfer' feature that allows a remote, authenticated attacker to upload SVG files. These SVG files can contain JavaScript or other content that may be executed or rendered by a web browser when accessed using a mobile user agent. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Newforma Info Exchange (NIX) (affected versions not specified) **Description** Newforma Info Exchange (NIX) contains a flaw in the '/NPCSRemoteWeb/LegacyIntegrationServices.asmx' endpoint that allows a remote, unauthenticated attacker to force NIX to establish a Server Message Block (SMB) connection to a system controlled by the attacker. This connection can result in the capture of the NTLMv2 hash of the NIX service account. The vulnerable API endpoint is `/NPCSRemoteWeb/LegacyIntegrationServices.asmx`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BrightSign OS series 4 versions prior to 8.5.53.1 BrightSign OS series 5 versions prior to 9.0.166 **Description** The issue allows for privilege escalation on the device once code execution has been obtained, due to execution with unnecessary privileges. **Recommendations** For BrightSign OS series 4 versions prior to 8.5.53.1, update to version 8.5.53.1 or later. For BrightSign OS series 5 versions prior to 9.0.166, update to version 9.0.166 or later.