Daniel Morales

**Name of the Vulnerable Software and Affected Versions** Thinfinity VirtualUI versions 2.1.28.0 through 2.5.26.2 **Description** The issue affects the `Addr` parameter in the cmd site, allowing the vulnerable server to disclose information or increase the attack surface by sending requests to other systems. This can potentially allow the filtration of the real IP of the web server. **Recommendations** For Thinfinity VirtualUI versions 2.1.28.0 through 2.5.26.2, update to version 3.0 to resolve the issue. As a temporary workaround, consider restricting access to the `Addr` parameter in the cmd site until a patch is available.

Name of the Vulnerable Software and Affected Versions: Thinfinity VirtualUI versions prior to 3.0 Description: The issue allows a malicious actor to enumerate users registered in the Windows operating system through the "/changePassword" URI. By accessing this vector, an attacker can determine if a username exists thanks to the message returned, which can be presented in different languages according to the configuration of VirtualUI. Common users that may be targeted include administrator, admin, guest, and others. Recommendations: For Thinfinity VirtualUI versions prior to 3.0, update to version 3.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/changePassword" URI until a patch is available.

Name of the Vulnerable Software and Affected Versions: Thinfinity VirtualUI versions prior to 3.0 Description: The issue concerns functionality in the /lab.html endpoint that is reachable by default, allowing potential IFRAME injection via the `vpath` parameter. Recommendations: For versions prior to 3.0, consider disabling access to the /lab.html endpoint until a patch is available. As a temporary workaround, restrict the use of the `vpath` parameter in the affected endpoint to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Cibele Thinfinity VirtualUI versions prior to 3.0 Description: The issue concerns the /changePassword endpoint, which returns different responses for invalid authentication requests depending on whether the username exists. This discrepancy can potentially be exploited. Recommendations: For versions prior to 3.0, consider restricting access to the /changePassword endpoint until a patch is available. As a temporary workaround, avoid using the /changePassword endpoint for authentication requests.