Brotherofjhonny

Name of the Vulnerable Software and Affected Versions: NetAdmin IAM system version 4.0.30319 Description: The issue concerns a Cross Site Scripting (XSS) vulnerability. It affects the "/BalloonSave.ashx" endpoint, where a malicious payload can be injected into the `Content` field. Recommendations: For version 4.0.30319, consider disabling access to the "/BalloonSave.ashx" endpoint until a patch is available. As a temporary workaround, restrict the use of the `Content` field in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NetAdmin version 4.0.30319 **Description** The issue concerns broken access control, allowing an attacker to exploit the lack of session authorization validation and encryption in the return of a specific endpoint call. This enables an attacker to copy the content of a browser from a user with greater privileges, thereby gaining access to the functionalities of that user. Additionally, an attacker can steal a valid session cookie and inject it into another device, granting unauthorized access through a technique known as session hijacking. **Recommendations** For NetAdmin version 4.0.30319, as a temporary workaround, consider implementing additional session validation and encryption measures to prevent unauthorized access. Restrict access to sensitive functionalities and endpoints to minimize the risk of exploitation. Avoid using the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.