Dmitry Kuramin

**Name of the Vulnerable Software and Affected Versions** Solar appScreener versions 3.10.4 and earlier **Description** The issue allows XXE and SSRF attacks via a crafted XML document when a valid license is not present. **Recommendations** For Solar appScreener versions 3.10.4 and earlier, ensure a valid license is present to prevent XXE and SSRF attacks. As a temporary workaround, consider restricting the processing of crafted XML documents until a patch is available. Avoid using the application without a valid license to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Sovremennye Delovye Tekhnologii FX Aggregator terminal client version 1 Description: The issue allows attackers to cause a denial of service by making five invalid login attempts to a victim's account, resulting in access being suspended for five hours. This can be achieved by exploiting the login mechanism, specifically by attempting to log in with incorrect credentials multiple times. Recommendations: For Sovremennye Delovye Tekhnologii FX Aggregator terminal client version 1, consider implementing a temporary workaround such as limiting the number of consecutive invalid login attempts or introducing a cooldown period between attempts to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Lan ATMService M3 ATM Monitoring System version 6.1.0 **Description** A directory-listing issue allows a remote attacker to view log files located in `/websocket/logs/`, which contain a user's cookie values and the predefined developer's cookie value. **Recommendations** For Lan ATMService M3 ATM Monitoring System version 6.1.0, consider restricting access to the `/websocket/logs/` directory to prevent unauthorized viewing of log files until a patch is available. As a temporary workaround, restrict access to the vulnerable `websocket` module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Lan ATMService M3 ATM Monitoring System version 6.1.0 **Description** The issue allows a remote attacker to gain control over the system due to insufficient session expiration. This can be achieved by using a default cookie value, such as `PHPSESSID=LANIT-IMANAGER`. **Recommendations** For Lan ATMService M3 ATM Monitoring System version 6.1.0, consider changing the default cookie value to a unique and secure value to prevent unauthorized access. As a temporary workaround, restrict access to the system until a patch is available. Avoid using the default `PHPSESSID` value in the affected system until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Click Studios Passwordstate version 8.9 (Build 8973) **Description** A security issue allows a remote attacker to perform a brute force attack on a 4-digit PIN code generated by the built-in generator for mobile device access. This could result in the attacker gaining access to all passwords available for the affected account. **Recommendations** For Click Studios Passwordstate version 8.9 (Build 8973), consider temporarily disabling the PIN code feature for mobile device access until a patch is available. Restrict access to sensitive password data to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.