Daniel Hofer

**Name of the Vulnerable Software and Affected Versions** cashIT! - serving solutions versions 03.A06rks 2023.02.37 and earlier **Description** The issue is related to an origin bypass via the host header in an HTTP request. This can be triggered by an HTTP endpoint exposed to the network. **Recommendations** For versions 03.A06rks 2023.02.37 and earlier, consider restricting access to HTTP endpoints exposed to the network as a temporary workaround until a patch is available.

**Name of the Vulnerable Software and Affected Versions** cashIT! - serving solutions versions to 03.A06rks 2023.02.37 **Description** The issue affects devices from "PoS/ Dienstleistung, Entwicklung & Vertrieb GmbH" and allows for the leakage of the database, including system settings and user accounts. This can be triggered by an HTTP endpoint exposed to the network. **Recommendations** For versions to 03.A06rks 2023.02.37, as a temporary workaround, consider restricting access to the exposed HTTP endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** cashIT! - serving solutions versions from "PoS/ Dienstleistung, Entwicklung & Vertrieb GmbH" to 03.A06rks 2023.02.37 **Description** The issue is an unauthenticated remote code execution vulnerability that can be triggered by an HTTP endpoint exposed to the network. **Recommendations** For versions from "PoS/ Dienstleistung, Entwicklung & Vertrieb GmbH" to 03.A06rks 2023.02.37, as a temporary workaround, consider restricting access to the exposed HTTP endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ZoneMinder versions prior to 1.36.33 **Description** The issue concerns ZoneMinder, a free, open source Closed-circuit television software application for Linux. It supports IP, USB, and Analog cameras. Log entries can be injected into the database logs, containing a malicious referrer field. This field is unescaped when viewing the logs in the web UI, leading to Cross-site Scripting. **Recommendations** For versions prior to 1.36.33, update to version 1.36.33 to resolve the issue. As a temporary workaround, consider restricting access to the web UI to minimize the risk of exploitation. Avoid viewing logs in the web UI until the issue is resolved.