Chris Lyne

Name of the Vulnerable Software and Affected Versions: ManageEngine ServiceDesk Plus versions prior to 11205 Description: The issue allows a remote, authenticated attacker to execute arbitrary commands with SYSTEM privileges due to an incomplete list of disallowed inputs. Recommendations: For versions prior to 11205, update to version 11205 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Babel versions prior to 2.9.1 **Description** The issue is related to errors in input validation when handling directory traversal sequences in locale .dat files within Babel.Locale. This can allow an attacker to load arbitrary locale .dat files, which contain serialized Python objects, via directory traversal, leading to code execution. **Recommendations** For versions prior to 2.9.1, update to version 2.9.1 or later to resolve the issue. As a temporary workaround, consider restricting access to locale .dat files to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: ManageEngine ServiceDesk Plus versions prior to 11200 ManageEngine AssetExplorer versions prior to 6800 Description: The issue is related to insufficient output sanitization, which allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks. This can be achieved by uploading a crafted XML asset file. Recommendations: For ManageEngine ServiceDesk Plus versions prior to 11200, update to version 11200 or later. For ManageEngine AssetExplorer versions prior to 6800, update to version 6800 or later.

**Name of the Vulnerable Software and Affected Versions** Nagios XI version 5.7.3 **Description** The issue is related to the improper neutralization of argument delimiters in a command, allowing a remote, authenticated admin user to write to arbitrary files. This can ultimately lead to code execution with the privileges of the apache user. **Recommendations** For Nagios XI version 5.7.3, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Plex Media Server versions prior to June 15, 2020 **Description** The issue is related to improper access control, allowing any origin to execute cross-origin application requests. **Recommendations** For versions prior to June 15, 2020, update to a version released after June 15, 2020 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Druva inSync Windows Client version 6.6.3 **Description** The issue allows a local, unauthenticated attacker to execute arbitrary operating system commands with SYSTEM privileges due to a relative path traversal vulnerability. **Recommendations** For Druva inSync Windows Client version 6.6.3, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Plex Media Server (affected versions not specified) **Description** The issue concerns the deserialization of untrusted data in Plex Media Server, allowing a remote, authenticated attacker to execute arbitrary Python code. This can be exploited by an attacker to gain unauthorized access and execute malicious code. The vulnerability is related to the restoration of untrusted data in memory, which can lead to arbitrary code execution. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SimpliSafe SS3 firmware versions 1.0 through 1.3 **Description** The issue allows a local, unauthenticated attacker to bypass authentication using an alternate path or channel, enabling them to pair a rogue keypad to an armed system. **Recommendations** For SimpliSafe SS3 firmware versions 1.0 through 1.3, consider restricting access to the keypad pairing functionality until a patch is available. As a temporary workaround, monitor system activity closely for any signs of unauthorized keypad pairing. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Verizon Fios Quantum Gateway (G1100) version 02.01.00.05 **Description** The issue allows an unauthenticated attacker with adjacent network access to intercept and replay login requests, gaining access to the administrative web interface through an authentication bypass by capture-replay. **Recommendations** For version 02.01.00.05, as a temporary workaround, consider restricting access to the administrative web interface until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Advantech WebAccess versions 8.3.2 and earlier Description: A Path Traversal issue was discovered, allowing an attacker to access files within the directory structure of the target device. Recommendations: For Advantech WebAccess versions 8.3.2 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.