Elcazator

**Name of the Vulnerable Software and Affected Versions** Open Automation Software versions prior to 20.00.0076 **Description** A local low-level user on the server machine with credentials to the running OAS services can create and execute a report with an `rdlx` file on the server system itself. Any code within the `rdlx` file of the report executes with SYSTEM privileges, resulting in privilege escalation. **Recommendations** For versions prior to 20.00.0076, upgrade to version 20.00.0076 or later to mitigate the risk of privilege escalation. As a temporary workaround, consider restricting access to the `rdlx` file and report execution functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** TwinCAT Package Manager (affected versions not specified) **Description** A local user with administrative access rights can enter specially crafted values for settings at the user interface (UI) of the TwinCAT Package Manager, which can cause arbitrary OS commands to be executed. The vulnerability is related to the lack of measures to neutralize special elements. Exploitation of the vulnerability may allow an attacker to execute arbitrary commands. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** iniNet Solutions SpiderControl SCADA PC HMI Editor (affected versions not specified) **Description** The issue is related to a path traversal vulnerability. When the software loads a malicious `ems` project template file created by an attacker, it can write files to arbitrary directories. This can lead to overwriting system files, causing system paralysis, or writing to startup items, resulting in remote control. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.