Eldar Marcussen

**Name of the Vulnerable Software and Affected Versions** ServiceNow versions Quebec prior to Patch 10 Hot Fix 8b ServiceNow versions Rome prior to Patch 10 Hot Fix 1 ServiceNow versions San Diego prior to Patch 7 ServiceNow versions Tokyo prior to Tokyo Patch 1 ServiceNow versions Utah prior to Utah General Availability **Description** The issue is an Access Control List (ACL) bypass in ServiceNow Core functionality. If successfully exploited, it could allow an authenticated user to obtain sensitive information from tables missing authorization controls. **Recommendations** For ServiceNow Quebec, apply Patch 10 Hot Fix 8b or later to resolve the issue. For ServiceNow Rome, apply Patch 10 Hot Fix 1 or later to resolve the issue. For ServiceNow San Diego, apply Patch 7 or later to resolve the issue. For ServiceNow Tokyo, apply Tokyo Patch 1 or later to resolve the issue. For ServiceNow Utah, upgrade to Utah General Availability or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** FarLinX X25 Gateway versions through 2014-09-25 **Description** The issue allows attackers to write arbitrary data to fsUI.xyz via the `fsSaveUIPersistence.php` endpoint. This can be exploited by sending malicious data to the `fsSaveUIPersistence.php` endpoint, potentially leading to unauthorized access or data modification. **Recommendations** For FarLinX X25 Gateway versions through 2014-09-25, consider restricting access to the `fsSaveUIPersistence.php` endpoint until a fix is available. As a temporary workaround, avoid using the `fsSaveUIPersistence.php` endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Lexiglot versions prior to 2014-11-20 **Description** The issue allows local users to obtain sensitive information by listing a process. This is possible because the `username` and `password` are visible on the command line. **Recommendations** For versions prior to 2014-11-20, consider restricting access to process listings to minimize the risk of sensitive information disclosure until a fix is available.

**Name of the Vulnerable Software and Affected Versions** Lexiglot through 2014-11-20 **Description** The issue allows remote attackers to obtain sensitive information, specifically the full path, via a request to the "include/smarty/plugins/modifier.date format.php" endpoint if PHP has a non-recommended configuration that produces warning messages. **Recommendations** For Lexiglot through 2014-11-20, consider restricting access to the "include/smarty/plugins/modifier.date format.php" endpoint until a fix is available. Additionally, review and adjust PHP configurations to avoid producing warning messages, which can help minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Lexiglot versions through 2014-11-20 **Description** The issue allows remote attackers to obtain sensitive information, including names and details of projects, by visiting the "/update.log" URI. **Recommendations** For Lexiglot versions through 2014-11-20, as a temporary workaround, consider restricting access to the "/update.log" URI until a fix is available.

Name of the Vulnerable Software and Affected Versions: Lexiglot versions prior to 2014-11-20 Description: The issue allows SQL injection via specific URI parameters. This can be exploited through the "admin.php?page=users&from id=" or "admin.php?page=history&limit=" API endpoints, using the `from id` and `limit` variables. Recommendations: For versions prior to 2014-11-20, consider restricting access to the "admin.php?page=users" and "admin.php?page=history" API endpoints until a fix is available. Avoid using the `from id` and `limit` variables in these endpoints to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Lexiglot versions prior to 2014-11-20 Description: The issue allows for Cross-Site Request Forgery (CSRF) attacks. CSRF is an attack that tricks the victim into performing unintended actions on a web application that they are authenticated to. Recommendations: For versions prior to 2014-11-20, update to a version released after 2014-11-20 to resolve the issue. As a temporary workaround, consider implementing CSRF tokens or restricting access to sensitive operations to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Lexiglot versions prior to 2014-11-20 Description: The issue allows for Server-Side Request Forgery (SSRF) via the `svn url` parameter in the `admin.php?page=projects` endpoint. This means an attacker could potentially force the server to make unauthorized requests. Recommendations: For versions prior to 2014-11-20, as a temporary workaround, consider restricting access to the `admin.php?page=projects` endpoint until a fix is available. Avoid using the `svn url` parameter in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Lexiglot versions prior to 2014-11-20 Description: The issue allows for XSS (Reflected) via the `username` or XSS (Stored) via the "admin.php?page=config" endpoint, specifically through the `install name`, `intro message`, or `new file content` parameters. Recommendations: For versions prior to 2014-11-20, as a temporary workaround, consider restricting access to the "admin.php?page=config" endpoint and avoid using the `username`, `install name`, `intro message`, or `new file content` parameters until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Lexiglot versions through 2014-11-20 Description: The issue allows command injection via the `username` and `password` fields in the "admin.php?page=projects" endpoint. Recommendations: For versions through 2014-11-20, update to a version released after 2014-11-20 to resolve the issue. As a temporary workaround, consider restricting access to the "admin.php?page=projects" endpoint until a patch is available. Avoid using the `username` and `password` fields in the affected endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Cmfive versions through 2015-03-15 Description: The issue allows remote attackers to obtain sensitive information, including usernames and passwords, via any request, such as a password reset request, when database connectivity malfunctions. This occurs due to a problem in the system/classes/DbPDO.php file. Recommendations: For versions through 2015-03-15, as a temporary workaround, consider restricting access to the `DbPDO.php` file until a patch is available. Avoid using the `system/classes/DbPDO.php` file in requests that may lead to database connectivity malfunctions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FarLinX X25 Gateway through 2014-09-25 **Description** The issue allows command injection via shell metacharacters to several PHP files, including `sysSaveMonitorData.php`, `fsx25MonProxy.php`, `syseditdate.php`, `iframeupload.php`, and `sysRestoreX25Cplt.php`. **Recommendations** For FarLinX X25 Gateway versions through 2014-09-25, consider restricting access to the vulnerable PHP files until a patch is available. As a temporary workaround, avoid using shell metacharacters in inputs to these files. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FarLinX X25 Gateway versions through 2014-09-25 **Description** The issue allows directory traversal via the log-handling feature. **Recommendations** For versions through 2014-09-25, consider disabling the log-handling feature as a temporary workaround until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Lexiglot versions through 2014-11-20 **Description** The issue allows for denial of service because the "api/update.php" endpoint launches svn update operations that use a great deal of resources. **Recommendations** For versions through 2014-11-20, consider restricting access to the "api/update.php" endpoint to minimize the risk of exploitation. As a temporary workaround, consider disabling the svn update operations launched by the "api/update.php" endpoint until a more permanent solution is available.

**Name of the Vulnerable Software and Affected Versions** HP ThinPro (affected versions not specified) **Description** The issue arises from insufficient input validation in the VPN software implementation within HP ThinPro, allowing an attacker to potentially inject commands that execute with root privileges. This could enable an attacker to run arbitrary commands in superuser mode. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Citrix Receiver (affected versions not specified) **Description** The issue arises from insufficient input validation in the Citrix Receiver wrapper function, allowing an attacker to potentially inject commands that execute with local user privileges. This could enable an attacker to run arbitrary commands. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cacti versions prior to 1.2.8 **Description** The issue affects how template identifiers are handled in Cacti when a string and a composite id value are used. This can be exploited by an authenticated attacker to extract data from the database. Additionally, an unauthenticated remote attacker could exploit this via a Cross-Site Request Forgery attack. The vulnerability is related to the `template id` function in the `graphs.php` file. **Recommendations** For versions prior to 1.2.8, update to version 1.2.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the `graphs.php` file and the `template id` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ABB IDAL HTTP server (affected versions not specified) **Description** The issue is related to the mishandling of format strings in a username or cookie during the authentication process. Attempting to authenticate with the username `%25s%25p%25x%25n` will crash the server. Sending `%08x.AAAA.%08x.%08x` will log memory content from the stack. This could potentially allow a remote attacker to execute arbitrary code by sending a specially crafted request. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ABB IDAL FTP server (affected versions not specified) **Description** The issue is related to the mishandling of format strings in a username during the authentication process. Attempting to authenticate with the username `%s%p%x%d` will crash the server. Sending `%08x.AAAA.%08x.%08x` will log memory content from the stack. This could potentially allow a remote attacker to execute arbitrary code by sending a specially crafted request with a username. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ABB IDAL FTP server (affected versions not specified) **Description** The issue is related to a buffer overflow in the ABB IDAL FTP server. When an authenticated attacker sends a long string, specifically a FTP command string of 472 bytes or more, it can overflow a buffer. This overflow is handled but results in the termination of the server process, effectively causing a denial of service. The exploitation of this issue can allow a remote attacker to terminate the server by sending commands that exceed the 472-byte limit. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.