Ahmed Y. Elmogy

Name of the Vulnerable Software and Affected Versions: Dell Wyse Management Suite versions WMS 4.4 and prior Description: The issue is related to a missing authorization procedure in the hybrid cloud solution for managing thin clients. This could allow a remote attacker to cause a denial of service and delete arbitrary files. A high-privileged attacker with remote access could potentially exploit this, leading to significant system disruption. Recommendations: For versions WMS 4.4 and prior, consider restricting remote access to minimize the risk of exploitation until a patch is available. As a temporary workaround, limit the privileges of remote users to reduce the potential impact of the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ivanti Avalanche (Premise) version 6.3.2 **Description** The issue allows remote unauthenticated users to read arbitrary files via Absolute Path Traversal. This is due to the `imageFilePath` parameter not being verified to be within the scope of the image folder when processed by the "/AvalancheWeb/image" endpoint. An attacker can obtain sensitive information by exploiting this, for example, by accessing the "C:/Windows/system32/config/system.sav" file. **Recommendations** For Ivanti Avalanche (Premise) version 6.3.2, as a temporary workaround, consider restricting access to the "/AvalancheWeb/image" endpoint to minimize the risk of exploitation. Additionally, avoid using the `imageFilePath` parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.