Evgeniy Ermakov

**Name of the Vulnerable Software and Affected Versions** Liebert SiteScan versions prior to 6.5 **Description** The issue is related to an XML External Entity (XXE) problem, which is caused by incorrect restriction of XML links to external objects. This can allow a remote attacker to gain access to confidential information by using specially crafted XML requests. An attacker may enter malicious input to Liebert SiteScan through a weakly configured XML parser, causing the application to execute arbitrary code or disclose file contents from a server or connected network. **Recommendations** For versions prior to 6.5, consider disabling the XML parser or restricting its use until a patch is available to prevent exploitation of the XXE issue. Restrict access to the Liebert SiteScan web interface to minimize the risk of exploitation. Avoid using weakly configured XML parsers in the Liebert SiteScan application until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Invensys Wonderware Information Server (WIS) versions 4.0 SP1 through 5.0 **Description** A SQL injection issue allows remote attackers to execute arbitrary SQL commands. **Recommendations** For Invensys Wonderware Information Server (WIS) versions 4.0 SP1 through 5.0, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Invensys Wonderware Information Server (WIS) versions 4.0 SP1 through 5.0 **Description** The issue allows remote attackers to execute arbitrary code or cause a denial of service due to unrestricted size and amount values. **Recommendations** For versions 4.0 SP1 through 5.0, restrict size and amount values to prevent remote attackers from executing arbitrary code or causing a denial of service.

**Name of the Vulnerable Software and Affected Versions** Invensys Wonderware Information Server (WIS) version 4.0 SP1 Invensys Wonderware Information Server (WIS) versions 4.5 through 5.0 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. **Recommendations** For Invensys Wonderware Information Server (WIS) version 4.0 SP1, update to a version that includes a fix for this issue. For Invensys Wonderware Information Server (WIS) versions 4.5 through 5.0, update to a version that includes a fix for this issue.