Giulia Melotti Garibaldi

**Name of the Vulnerable Software and Affected Versions** SoftPerfect NetWorx version 7.1.1 **Description** The issue allows an attacker to execute a malicious binary with potentially higher privileges via a low-privileged user account. This is achieved by abusing the Notifications function, which permits arbitrary binary execution and can be modified by any user. As a result, the binary execution occurs in the context of any user running the software. If the Notifications function is modified to execute a malicious binary, it will be executed by every user running the software on the system. **Recommendations** For SoftPerfect NetWorx version 7.1.1, consider disabling the Notifications function until a patch is available to prevent arbitrary binary execution. Restrict access to the Notifications function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Reprise License Manager version 14.2 **Description** The issue is a reflected cross-site scripting vulnerability (XSS) in the "/goform/login process" API endpoint, specifically in the `username` parameter via GET requests. No authentication is required to exploit this issue. **Recommendations** For Reprise License Manager version 14.2, as a temporary workaround, consider restricting access to the "/goform/login process" API endpoint or avoiding the use of the `username` parameter in this endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Reprise License Manager version 14.2 **Description** The issue is a reflected cross-site scripting vulnerability (XSS) in the "/goform/rlmswitchr process" file parameter via GET. Authentication is required to exploit this issue. **Recommendations** For Reprise License Manager version 14.2, consider restricting access to the "/goform/rlmswitchr process" endpoint until a patch is available. As a temporary workaround, avoid using the `file` parameter in the affected API endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Reprise License Manager version 14.2 **Description** The issue allows for information disclosure via a GET request to "/goforms/rlminfo" without requiring authentication. The disclosed information includes details about software versions, process IDs, network configuration, hostname(s), system architecture, and file/directory details. **Recommendations** For Reprise License Manager version 14.2, consider restricting access to the "/goforms/rlminfo" endpoint to minimize the risk of exploitation. As a temporary workaround, limit the information disclosed by this endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Reprise License Manager version 14.2 **Description** The issue is a reflected cross-site scripting vulnerability in the "/goform/activate process" API endpoint, specifically in the `count` parameter, which can be exploited via GET requests. No authentication is required to exploit this issue. **Recommendations** For Reprise License Manager version 14.2, as a temporary workaround, consider restricting access to the "/goform/activate process" API endpoint or avoiding the use of the `count` parameter in this endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.