David Yesland

**Name of the Vulnerable Software and Affected Versions** Extreme Networks Switch Engine (EXOS) versions prior to 31.7.2 Extreme Networks Switch Engine (EXOS) versions prior to 32.5.1.5 **Description** A Cross Site Request Forgery (CSRF) issue in the Chalet application allows attackers to run arbitrary code and cause other unspecified impacts via the "/jsonrpc" API endpoint. **Recommendations** For Extreme Networks Switch Engine (EXOS) versions prior to 31.7.2, update to version 31.7.2 or later to resolve the issue. For Extreme Networks Switch Engine (EXOS) versions prior to 32.5.1.5, update to version 32.5.1.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/jsonrpc" API endpoint until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Extreme Networks Switch Engine (EXOS) versions prior to 22.7 Extreme Networks Switch Engine (EXOS) versions prior to 31.7.2 Extreme Networks Switch Engine (EXOS) versions prior to 32.5.1.5 **Description** The issue is related to an Access Control problem in the Extreme Networks Switch Engine (EXOS) software, which can be exploited by attackers to gain escalated privileges. This can be achieved by using crafted telnet commands via the Redis server. **Recommendations** For versions prior to 22.7, update to version 22.7 or later to resolve the issue. For versions prior to 31.7.2, update to version 31.7.2 or later to resolve the issue. For versions prior to 32.5.1.5, update to version 32.5.1.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the telnet service and Redis server to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Extreme Networks Switch Engine (EXOS) versions prior to 32.5.1.5 Extreme Networks Switch Engine (EXOS) versions prior to 22.7 Extreme Networks Switch Engine (EXOS) versions prior to 31.7.2 **Description** A Directory Traversal issue allows attackers to read arbitrary files. **Recommendations** For versions prior to 32.5.1.5, update to version 32.5.1.5 or later. For versions prior to 22.7, update to version 22.7 or later. For versions prior to 31.7.2, update to version 31.7.2 or later.

**Name of the Vulnerable Software and Affected Versions** Extreme Networks Switch Engine (EXOS) versions prior to 22.7 Extreme Networks Switch Engine (EXOS) versions prior to 31.7.1 Extreme Networks Switch Engine (EXOS) versions prior to 32.5.1.5 **Description** An issue in Extreme Networks Switch Engine (EXOS) allows attackers to gain escalated privileges via crafted HTTP requests. **Recommendations** For versions prior to 22.7, update to version 22.7 or later. For versions prior to 31.7.1, update to version 31.7.1 or later. For versions prior to 32.5.1.5, update to version 32.5.1.5 or later.

**Name of the Vulnerable Software and Affected Versions** Bonita Web version 2021.2 **Description** Bonita Web 2021.2 is affected by an authentication/authorization bypass due to an overly permissive exclusion pattern within the RestAPIAuthorizationFilter. Appending `;i18ntranslation` or `/../i18ntranslation/` to the end of a URL allows users without proper privileges to access privileged API endpoints. Exploiting privileged API actions can lead to remote code execution. Real-world exploitation of this issue has been observed, as demonstrated in a server compromise and a HackTheBox challenge (Meerkat/Sherlock). The exploitation involved credential stuffing and leveraging the vulnerability to gain root shell access. **API Endpoints:** Affected API endpoints are accessible through URL manipulation. **Vulnerable Parameters or Variables:** The URL itself is manipulated by appending ``;i18ntranslation` or `/../i18ntranslation/`. **Recommendations** Bonita Web version 2021.2: Implement a more restrictive pattern for the RestAPIAuthorizationFilter to prevent unauthorized access to privileged API endpoints.

**Name of the Vulnerable Software and Affected Versions** Pritunl Client versions 1.2.3019.52 and earlier **Description** The issue allows local privilege escalation, related to an ACL entry for CREATOR OWNER in platform windows.go. This affects Pritunl Client on Windows. **Recommendations** For Pritunl Client version 1.2.3019.52 and earlier, consider updating to a version that fixes the local privilege escalation issue, although the specific fixed version is not provided in the available data. As a temporary workaround, consider restricting access to the vulnerable ACL entry for CREATOR OWNER in platform windows.go until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Amazon AWS VPN Client version 2.0.0 **Description** The issue is related to the Amazon AWS VPN Client, where it is possible to include a UNC path in the OpenVPN configuration file when referencing file paths for parameters such as `auth-user-pass`. When this file is imported and the client attempts to validate the file path, it performs an open operation on the path and leaks the user's Net-NTLMv2 hash to an external server. This could be exploited by having a user open a crafted malicious ovpn configuration file. The vulnerability is also related to errors in synchronization when using a shared resource, which can allow an attacker to elevate their privileges or cause a denial of service. **Recommendations** For Amazon AWS VPN Client version 2.0.0, consider disabling the import of OpenVPN configuration files that contain UNC paths until a patch is available. Restrict access to the `auth-user-pass` parameter to minimize the risk of exploitation. Avoid using the `auth-user-pass` parameter in the OpenVPN configuration file until the issue is resolved. As a temporary workaround, consider monitoring the configuration file for any changes and removing any malicious directives.

**Name of the Vulnerable Software and Affected Versions** Amazon AWS VPN Client version 2.0.0 **Description** An issue exists in the Amazon AWS VPN Client, allowing parameters outside of the allow list to be injected into the configuration file. This can lead to an arbitrary file write as SYSTEM with partial control over the file's content, potentially causing an elevation of privilege or denial of service. A TOCTOU race condition exists during the validation of VPN configuration files, enabling dangerous arguments to be injected by a low-level user. For example, the `log` parameter can be used to specify an arbitrary destination for writing log files. Additionally, it is possible to include a UNC path in the OpenVPN configuration file, which can leak the user's Net-NTLMv2 hash to an external server when the client attempts to validate the file path. **Recommendations** For Amazon AWS VPN Client version 2.0.0, consider disabling the `log` parameter in the configuration file to prevent arbitrary file writes until a patch is available. Restrict access to the configuration file to minimize the risk of exploitation. Avoid using the `auth-user-pass` parameter with UNC paths in the OpenVPN configuration file until the issue is resolved. As a temporary workaround, monitor the configuration file for any changes and remove any malicious directives. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Amazon AWS WorkSpaces client versions 3.0.10 through 3.1.8 Description: The issue is related to argument injection in the workspaces:// URI handler, which can lead to remote code execution due to the Chromium Embedded Framework (CEF) --gpu-launcher argument. Recommendations: For Amazon AWS WorkSpaces client versions 3.0.10 through 3.1.8, update to version 3.1.9 to resolve the issue. As a temporary workaround, consider restricting access to the workspaces:// URI handler until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Dell EMC OpenManage Server Administrator (OMSA) versions 9.5 and prior **Description** The issue allows a remote user with admin privileges to potentially view arbitrary files on the target system by sending a specially crafted URL request. This can be exploited to gain access to sensitive information, such as user credentials in configuration files. In real-world incidents, this issue has been used to bypass Windows Defender, impersonate a service, and gain SYSTEM level access. **Recommendations** For versions 9.5 and prior, consider restricting access to the admin interface until a patch is available. As a temporary workaround, consider disabling the ability to send specially crafted URL requests to the affected system until a patch is available. Restrict access to sensitive files and configuration files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Dell EMC OpenManage Server Administrator (OMSA) versions 9.4 and prior **Description** The issue allows an unauthenticated remote attacker to potentially exploit multiple path traversal vulnerabilities by sending a crafted Web API request containing directory traversal character sequences to gain file system access on the compromised management station. **Recommendations** For versions 9.4 and prior, update to a version later than 9.4 to resolve the issue. As a temporary workaround, consider restricting access to the Web API to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Firefox ESR versions prior to 68.8 Firefox versions prior to 76 Thunderbird versions prior to 68.8.0 **Description** The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in command injection and arbitrary command execution. This issue only affects Firefox on Windows operating systems. **Recommendations** For Firefox ESR versions prior to 68.8, update to version 68.8 or later. For Firefox versions prior to 76, update to version 76 or later. For Thunderbird versions prior to 68.8.0, update to version 68.8.0 or later. As a temporary workaround, consider avoiding the use of the 'Copy as cURL' feature in the Devtools' network tab until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** LabKey Server version 19.1.0 **Description** An issue was discovered that allows forcing a logged-in administrator to execute code through a /reports-viewScriptReport.view CSRF vulnerability. **Recommendations** For LabKey Server version 19.1.0, update to a version that includes a fix for this issue to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** NVIDIA GeForce Experience versions prior to 3.19 **Description** The issue is related to a vulnerability in the Web Helper component of NVIDIA GeForce Experience. An attacker with local system access can craft input that may not be properly validated, potentially leading to code execution, denial of service, or information disclosure. **Recommendations** For versions prior to 3.19, update to version 3.19 or later to resolve the issue. As a temporary workaround, consider restricting access to the Web Helper component until a patch is available.

Name of the Vulnerable Software and Affected Versions: Microvirt MEmu version 6.0.6 Description: An issue was discovered in Microvirt MEmu. The MemuService.exe service binary is vulnerable to local privilege escalation through binary planting due to insecure permissions set at install time. This allows code to be run as NT AUTHORITY/SYSTEM. Recommendations: For Microvirt MEmu version 6.0.6, consider restricting access to the MemuService.exe service binary to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apache Tika versions 1.7 through 1.17 **Description** The issue allows clients to send specially crafted headers to the tika-server, potentially injecting commands into the server's command line. This affects servers running tika-server and exposed to untrusted clients. **Recommendations** For Apache Tika versions 1.7 through 1.17, upgrade to Tika 1.18 to resolve the issue.