Antonio Cuomo

**Name of the Vulnerable Software and Affected Versions** Sandboxie-Plus version 5.50.2 **Description** Sandboxie-Plus version 5.50.2 has an issue with an unquoted service path in the SbieSvc Windows service. This could allow local attackers to execute arbitrary code. The issue involves the potential to inject malicious executables that run with LocalSystem privileges when the service starts. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WOW21 version 5.0.1.9 **Description** The software contains an unquoted service path issue. This allows local attackers to potentially execute arbitrary code with elevated system privileges. Exploitation involves leveraging the unquoted binary path to inject malicious executables that are launched with LocalSystem permissions during service startup. **Recommendations** Ensure the service path is enclosed in quotes to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** WBCE CMS version 1.5.2 **Description** The software contains an authenticated remote code execution issue. Attackers can upload malicious droplets through the admin panel. Specifically, authenticated attackers can exploit the droplet upload functionality within the admin tools to create and execute arbitrary PHP code by crafting a specially designed zip file payload. The vulnerable functionality is related to the droplet upload process. **Recommendations** Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the droplet upload functionality in the admin panel.

**Name of the Vulnerable Software and Affected Versions** Bludit versions prior to 3.13.1 **Description** A file download issue exists in the Backup Plugin within Bludit. Logged-in users can access arbitrary files. Attackers can exploit the plugin’s download functionality by manipulating file path parameters, potentially leading to the reading of sensitive system files through directory traversal. **Recommendations** Update to version 3.13.1 or later.

**Name of the Vulnerable Software and Affected Versions** Distributed Data Systems WebHMI version 4.1.1.7662 **Description** A user with administrative privileges may send OS commands to execute on the host server. This issue allows for potential command execution on the host server by an administrative user. **Recommendations** For Distributed Data Systems WebHMI version 4.1.1.7662, consider restricting administrative access to trusted users only until a fix is available. As a temporary workaround, monitor and limit the execution of OS commands on the host server to minimize potential damage. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Distributed Data Systems WebHMI version 4.1.1.7662 **Description** A user with administrative privileges can store a script that could impact other logged in users. **Recommendations** For Distributed Data Systems WebHMI version 4.1.1.7662, consider restricting administrative privileges to prevent unauthorized script storage until a patch is available.