Daniel Hirschberger

**Name of the Vulnerable Software and Affected Versions** No specific software name or versions are mentioned in the provided descriptions. **Description** The password change function at "/cgi/admin.cgi" does not require the current or old password, making the application vulnerable to account takeover. An attacker can use this to forcefully set a new password within the `-rsetpass+-aaction+-` parameter for a user without knowing the old password, for example, by exploiting a CSRF issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Software (affected versions not specified) **Description** The issue arises from flaws in the self-developed session management, allowing an attacker who can spoof the IP address and the `User-Agent` of a logged-in user to takeover the session. If two users access the web interface from the same IP, they are logged in as the other user. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Software (affected versions not specified) **Description** An unauthenticated attacker can perform a SQL injection by accessing the "/class/dbconnect.php" file and supplying malicious GET parameters. The HTTP GET parameters `search`, `table`, `field`, and `value` are vulnerable. For example, one SQL injection can be performed on the parameter `field` with the UNION keyword. **Recommendations** As a temporary workaround, consider restricting access to the "/class/dbconnect.php" file until a patch is available. Avoid using the parameters `search`, `table`, `field`, and `value` in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SoftwareX versions prior to 7.40 **Description** The issue is due to missing input sanitization, allowing an attacker to perform cross-site-scripting attacks and run arbitrary Javascript in the browser of other users. The "Edit Disclaimer Text" function of the configuration menu is vulnerable to stored XSS. This function is available at the URL "https://$SCANNER/cgi/admin.cgi?-rdisclaimer+-apre" and can be used by the users Poweruser and Admin. The stored Javascript payload will be executed every time the ScanWizard is loaded, even in the Kiosk-mode browser. **Recommendations** For versions prior to 7.40, update to version 7.40 or later to mitigate the risk, but be aware that the fix in version 7.40 could be bypassed via URL-encoding the Javascript payload again. As a temporary workaround, consider restricting access to the "Edit Disclaimer Text" function to minimize the risk of exploitation. Additionally, avoid using the `https://$SCANNER/cgi/admin.cgi?-rdisclaimer+-apre` endpoint until the issue is fully resolved.

**Name of the Vulnerable Software and Affected Versions** SoftwareX versions (affected versions not specified) **Description** The issue is due to missing input sanitization, allowing an attacker to perform cross-site-scripting attacks and run arbitrary JavaScript in the browser of other users. The login page at "/cgi/slogin.cgi" suffers from reflected XSS due to improper input filtering of the `-tsetup+-uuser` parameter. This can only be exploited if the target user is not already logged in, making it ideal for login form phishing attempts. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the `/cgi/slogin.cgi` endpoint until a patch is available. Avoid using the `-tsetup+-uuser` parameter in the affected API endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: SoftwareX versions (affected versions not specified) Description: An authenticated attacker with the user/role "Poweruser" can perform an SQL injection by accessing the "/class/template io.php" file and supplying malicious GET parameters. The `templates` parameter is vulnerable to blind boolean-based SQL injection attacks. SQL syntax must be injected into the JSON syntax of the `templates` parameter. Recommendations: As a temporary workaround, consider restricting access to the "/class/template io.php" file until a patch is available. Avoid using the `templates` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Software (affected versions not specified) **Description** The issue is related to missing input sanitization, allowing an attacker to perform cross-site-scripting attacks and run arbitrary Javascript in the browser of other users. The "Edit Disclaimer Text" function of the configuration menu is vulnerable to stored XSS. This function is available at the URL https://$SCANNER/cgi/admin.cgi?-rdisclaimer+-apre. Only the users Poweruser and Admin can use this function. The stored Javascript payload will be executed every time the ScanWizard is loaded, even in the Kiosk-mode browser. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Application (affected versions not specified) **Description** The issue concerns the application's use of several hard-coded credentials. These credentials are used for encrypting config files during backup and decrypting new firmware during updates. Additionally, some of these passwords allow direct connections to the database server of the affected device. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** The issue is due to missing input sanitization, allowing an attacker to perform cross-site-scripting attacks and run arbitrary Javascript in the browser of other users. The "File Name" page (/cgi/uset.cgi?-cfilename) in the User Settings menu improperly filters the `file name` and wildcard character input field. By exploiting the wildcard character feature, attackers can store arbitrary Javascript code which is triggered if the page is viewed afterwards, e.g., by higher privileged users such as admins. This attack can even be performed without being logged in because the affected functions are not fully protected. Without logging in, only the `file name` parameter of the "Default" User can be changed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Numerix License Server (affected versions not specified) Description: The issue allows attackers to infect users with arbitrary JavaScript code that runs in the context of the "Numerix License Server Administration System Login" page (nlslogin.jsp) when they click on a malicious link or visit a website under the control of an attacker. This can be triggered by sending a specially crafted HTTP POST request to the `nlslogin.jsp` page. The vendor has been unresponsive, and as a result, there is no available solution. Users are advised to restrict access and monitor logs. Recommendations: To mitigate the risk, restrict access to the `nlslogin.jsp` page and monitor logs for suspicious activity. Try to reach out to your contact person for the Numerix vendor and request a patch. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned as affected, so the information cannot be consolidated into a specific format. **Description** The issue allows the `www-data` user to elevate its privileges because `sudo` is configured to allow the execution of the `mount` command as root without a password. This configuration enables the privileges to be escalated to the root user. The vendor has accepted the risk, indicating that this issue will not be resolved in the near future. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Scanner device (affected versions not specified) **Description** The scanner device boots into a kiosk mode by default and opens the Scan2Net interface in a browser window. This browser is run with the permissions of the root user. There are also several other applications running as the root user. This can be confirmed by running "ps aux" as the root user and observing the output. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software name or versions are mentioned in the provided descriptions. **Description** The issue allows for remote code execution if an attacker has access to a valid Poweruser session. This is possible because specially crafted valid PNG files with injected PHP content can be uploaded as desktop backgrounds or lock screens. After the upload, the PHP script is available in the web root. The PHP code executes once the uploaded file is accessed, allowing the execution of arbitrary PHP code and OS commands on the device as "www-data". **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Image Access Scan2Net versions (affected versions not specified) **Description** An unauthenticated attacker with network access to the affected device's web interface can execute any system command via the "msg events.php" script as the www-data user. The HTTP GET parameter `data` is not properly sanitized. This allows an attacker to inject arbitrary code on the target system. **Recommendations** As a temporary workaround, consider disabling the "msg events.php" script until a patch is available. Restrict access to the `data` parameter in the affected API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** The web application is not protected against cross-site request forgery attacks, allowing an attacker to trick users into performing actions on the application when they visit an attacker-controlled website or click on a malicious link. For example, an attacker can forge malicious links to reset the admin password or create new users. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Omada Identity versions prior to 15 update 1 Description: The issue allows an authenticated attacker to execute arbitrary code in the browser of a victim via a specially crafted link or by viewing a manipulated Access Request History. This is a result of a Stored Cross-Site Scripting in the Access Request History. Recommendations: For Omada Identity versions prior to 15 update 1, update to version 15 update 1 or later to resolve the issue. As a temporary workaround, consider restricting access to the Access Request History feature until a patch is applied. Avoid using manipulated links or viewing suspicious Access Request History entries to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Elefant (affected versions not specified) Description: Attackers with local access to the medical office computer can escalate their Windows user privileges to "NT AUTHORITYSYSTEM" by overwriting one of two Elefant service binaries with weak permissions. The default installation directory of Elefant is "C:Elefant1" which is writable for all users. In addition, the Elefant installer registers two Firebird database services which are running as “NT AUTHORITYSYSTEM”. Both service binaries are user writable, allowing a local attacker to rename one of the service binaries, replace the service executable with a new executable, and then restart the system. Once the system has rebooted, the new service binary is executed as "NT AUTHORITYSYSTEM". The vulnerable service binaries are located at "C:Elefant1Firebird 2binfbserver.exe" and "C:Elefant1Firebird 2binfbguard.exe". Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Hasomed Elefant version 1.4.2.1811/24.03.03 Description: An unauthenticated attacker with access to the local network of a medical office can query an unprotected Fast Healthcare Interoperability Resources (FHIR) API to get access to sensitive electronic health records (EHR). This allows for potential data exposure and tampering. Recommendations: For Hasomed Elefant version 1.4.2.1811/24.03.03, patch the software to mitigate the issue and ensure proper authentication is in place for the FHIR API. As a temporary workaround, consider restricting access to the FHIR API to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Elefant Firebird database versions prior to 24.03.03 Description: An unauthenticated attacker with access to the local network of a medical office can use known default credentials to gain remote DBA access to the Elefant Firebird database. This access allows the attacker to view sensitive data, including patient data and login credentials. Additionally, the attacker can create and overwrite arbitrary files on the server filesystem with the rights of the Firebird database ("NT AUTHORITYSYSTEM"). Recommendations: For versions prior to 24.03.03, upgrade the affected component immediately to mitigate the risk of unauthorized access. As a temporary workaround, consider changing the default login credentials to prevent unauthorized access to the Elefant Firebird database. Restrict access to the database to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Elefant Software Updater (ESU) (affected versions not specified) Description: An attacker with local access to a medical office computer can escalate their Windows user privileges to "NT AUTHORITYSYSTEM" by exploiting a command injection vulnerability in the Elefant Update Service. The vulnerability can be exploited by communicating with the Elefant Update Service, which is running as "SYSTEM" via Windows Named Pipes. The Elefant Software Updater (ESU) consists of two components: an ESU service that runs as "NT AUTHORITYSYSTEM" and an ESU tray client that communicates with the service to update or repair the installation and is running with user permissions. The communication is implemented using named pipes. A crafted message of type `MessageType.SupportServiceInfos` can be sent to the local ESU service to inject commands, which are then executed as "NT AUTHORITYSYSTEM". Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.