Alessandro Sabetta

**Name of the Vulnerable Software and Affected Versions** Wolters Kluwer B.POINT version 23.70.00 **Description** The issue allows a validated system user to achieve remote code execution via Argument Injection in the server-to-server module during the authentication phase. **Recommendations** For version 23.70.00, consider restricting access to the server-to-server module to minimize the risk of exploitation until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Archibus Web Central versions prior to 26.2 **Description** The issue allows for SQL Injection vulnerabilities in the "dwr/call/plaincall/workflow.runWorkflowRule.dwr" endpoint. Through the injection of arbitrary SQL statements, a potential attacker can modify query syntax and perform unauthorized operations against the remote database. **Recommendations** For versions prior to 26.2, update to version 26.2 or a more recent version to resolve the issue. As a temporary workaround, consider restricting access to the "dwr/call/plaincall/workflow.runWorkflowRule.dwr" endpoint until a patch is applied.

Name of the Vulnerable Software and Affected Versions: Thruk versions prior to 2.44 Description: The issue allows for stored XSS, potentially enabling attackers to inject malicious scripts into the application. This could lead to unauthorized access or control of user sessions. Recommendations: For versions prior to 2.44, update to version 2.44 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive features or input fields to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Thruk versions 2.40 through 2 Description: The issue allows for Reflected XSS via the `host` or `title` parameter in the "/thruk/#cgi-bin/status.cgi" endpoint. An attacker could inject arbitrary JavaScript into status.cgi, which would be triggered every time an authenticated user browses the page containing it. Recommendations: For Thruk versions 2.40 through 2, as a temporary workaround, consider restricting access to the "/thruk/#cgi-bin/status.cgi" endpoint until a patch is available. Avoid using the `host` or `title` parameters in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: Thruk versions 2.40-2 Description: The issue allows for Reflected XSS via the `host` or `service` parameter in the `/thruk/#cgi-bin/extinfo.cgi` API endpoint. An attacker could inject arbitrary JavaScript into extinfo.cgi, and the malicious payload would be triggered every time an authenticated user browses the page containing it. Recommendations: For Thruk versions 2.40-2, consider disabling access to the `/thruk/#cgi-bin/extinfo.cgi` API endpoint until a patch is available. Restrict the use of the `host` and `service` parameters to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ARCHIBUS Web Central versions 21.3.3.815 and earlier **Description** The issue arises from the Web Application in /archibus/login.axvw, where a session token could be assigned that is already in use by another user. This allowed access to the application without knowing the user's credentials. It was also possible to set the value of the session token client-side by making an unauthenticated GET Request to the Home Page and adding an arbitrary value to the `JSESSIONID` field. The application did not assign a new token after login, continuing to use the inserted one as the session identifier. This vulnerability only affects products that are no longer supported by the maintainer. **Recommendations** For ARCHIBUS Web Central versions 21.3.3.815 and earlier, update to a version newer than 21.3, such as version 26, to resolve the issue. As a temporary workaround, consider restricting access to the `/archibus/login.axvw` endpoint to minimize the risk of exploitation. Avoid using the `JSESSIONID` field in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** ARCHIBUS Web Central version 21.3.3.815 **Description** The issue arises from the software's failure to properly validate requests for access to data and functionality in several affected endpoints: "/archibus/schema/ab-edit-users.axvw", "/archibus/schema/ab-data-dictionary-table.axvw", "/archibus/schema/ab-schema-add-field.axvw", and "/archibus/schema/ab-core/views/process-navigator/ab-my-user-profile.axvw". This allows any authenticated user to access pages not intended for them, including the administrative console for user management, by directly requesting access via URL. A malicious user can exploit this to modify all users' profiles, elevate privileges to administrative levels, create or delete any type of user, and even modify other users' emails through a misconfiguration of the `username` parameter on the user profile page. **Recommendations** For version 21.3.3.815, consider upgrading to a recent version, such as version 26, to fix the issue. As a temporary workaround, restrict access to the administrative console and limit modifications to user profiles until an upgrade can be performed. Additionally, review and correct any misconfigurations of the `username` parameter to prevent unauthorized email modifications.

**Name of the Vulnerable Software and Affected Versions** ARCHIBUS Web Central versions 21.3.3.815 and earlier **Description** The issue occurs in the /archibus/dwr/call/plaincall/workflow.runWorkflowRule.dwr endpoint because the data received as input from clients is re-included within the HTTP response returned by the application without adequate validation. If HTML code or client-side executable code (e.g., Javascript) is entered as input, the expected execution flow could be altered. **Recommendations** For versions 21.3.3.815 and earlier, update to a recent version, such as version 26, to resolve the issue. As a temporary workaround, consider restricting access to the /archibus/dwr/call/plaincall/workflow.runWorkflowRule.dwr endpoint until a patch is available. Avoid entering HTML code or client-side executable code as input to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: CA eHealth Performance Manager versions through 6.3.2.12 Description: The issue is related to Privilege Escalation via a Dynamically Linked Shared Object Library. A regular user can create a malicious library in the writable RPATH, which will be dynamically linked when the emtgtctl2 executable is run, allowing the code in the library to be executed as the ehealth user. This issue only affects products that are no longer supported by the maintainer. Recommendations: For CA eHealth Performance Manager versions through 6.3.2.12, consider restricting access to the emtgtctl2 executable to prevent exploitation, as these versions are no longer supported by the maintainer. At the moment, there is no information about a newer version that contains a fix for this vulnerability.