Enesdex

**Name of the Vulnerable Software and Affected Versions** Gila CMS versions prior to 2.0.0 **Description** Gila CMS is affected by a remote code execution issue that allows unauthenticated attackers to execute arbitrary system commands. This is achieved by manipulating HTTP headers, specifically injecting PHP code into the User-Agent header. The `shell exec()` function is used to run system commands by sending crafted requests to the admin endpoint. The API endpoint ''/admin'' is vulnerable. The vulnerable parameter is the `User-Agent` header. **Recommendations** Update Gila CMS to version 2.0.0 or later.

**Name of the Vulnerable Software and Affected Versions** Linux Kernel (affected versions not specified) **Description** A race condition was found in the Linux kernel's watch queue due to a missing lock in `pipe resize ring()`. The specific flaw exists within the handling of pipe buffers. The issue results from the lack of proper locking when performing operations on an object. This flaw allows a local user to crash the system or escalate their privileges on the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WebAccess/NMS versions prior to 3.0.3 Build6299 **Description** The issue allows unauthorized users to view resources monitored and controlled by the WebAccess/NMS, as well as IP addresses and names of all the devices managed via WebAccess/NMS, due to an improper authentication vulnerability. **Recommendations** For versions prior to 3.0.3 Build6299, update to version 3.0.3 Build6299 or later to resolve the issue. As a temporary workaround, consider restricting access to the WebAccess/NMS dashboard to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Advantech iView versions prior to v5.7.03.6182 **Description** The issue is related to missing authentication in the configuration of the affected product, potentially allowing an attacker to modify configurations and execute arbitrary code. **Recommendations** For versions prior to v5.7.03.6182, update to version v5.7.03.6182 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Advantech iView versions prior to v5.7.03.6182 **Description** The issue allows an unauthorized attacker to disclose information due to a SQL injection vulnerability. It affects various functions, including `findUpdateDeviceListDetails`, `saveZtpConfig`, `deleteZtpConfig`, `getInventoryReportData`, `getAllActiveTraps`, `setDeviceAuthentication`, `getNextTrapPage`, and `getPSInventoryInfo` in the `NetworkServlet`. **Recommendations** For versions prior to v5.7.03.6182, update to version v5.7.03.6182 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable functions until a patch is available. Avoid using the vulnerable `NetworkServlet` endpoints, such as `/NetworkServlet`, until the issue is resolved. Restrict access to the SQL database to minimize the risk of exploitation.