Ehab Hussein

**Name of the Vulnerable Software and Affected Versions** Revolution Pi version 2022-07-28-revpi-buster **Description** The issue allows an authenticated attacker to list device directories via the "/pictory/php/getFileList.php" endpoint in the `dir` parameter. This could potentially be exploited to gain unauthorized access to sensitive information. **Recommendations** For Revolution Pi version 2022-07-28-revpi-buster, consider disabling access to the "/pictory/php/getFileList.php" endpoint until a patch is available. Additionally, restrict the use of the `dir` parameter in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GE Grid Solutions Reason RT Clocks versions prior to 08A05 GE Grid Solutions RT430 versions prior to 08A05 GE Grid Solutions RT431 versions prior to 08A05 GE Grid Solutions RT434 versions prior to 08A05 **Description** The device's web application contains a vulnerability that could allow multiple unauthenticated attacks, potentially causing serious impact. An unauthenticated attacker may execute arbitrary commands, send a request to a specific URL to make the device unresponsive, change the password of the `configuration` user account to modify the device's configuration via the web interface, and bypass authentication required to configure the device and reboot the system. **Recommendations** For GE Grid Solutions Reason RT Clocks, RT430, RT431, and RT434 versions prior to 08A05, update the firmware to version 08A05 or later to resolve the issue. As a temporary workaround, consider restricting access to the web interface to minimize the risk of exploitation. Avoid using the web interface for configuration changes until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** INDAS Web SCADA versions prior to 3 **Description** A directory traversal issue allows remote attackers to read arbitrary files. **Recommendations** For versions prior to 3, update to version 3 or later to resolve the issue.