Grant Hume

Name of the Vulnerable Software and Affected Versions: TopQuadrant TopBraid EDG versions prior to 8.0.1 Description: The issue allows an authenticated attacker to upload an XML DTD file and execute JavaScript, enabling them to read local files or access URLs, which is an example of an XML External Entity (XXE) attack. Recommendations: For versions prior to 8.0.1, update to version 8.0.1 or later to resolve the issue. As a temporary workaround, consider restricting the ability to upload XML DTD files until the update can be applied.

Name of the Vulnerable Software and Affected Versions: Campbell Scientific CSI Web Server (affected versions not specified) Description: The issue allows anonymous, unauthenticated access to files and directories outside of the webserver root directory. This is achieved through a specially crafted expression that exploits a path traversal vulnerability in a command supported by the Campbell Scientific CSI Web Server. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Campbell Scientific CSI Web Server (affected versions not specified) Description: The issue concerns the storage of web authentication credentials in a file with a specific name. The passwords in this file are stored in a weakly encoded format, which could be decoded if an attacker gains access to the file. Although there is no known method for remote access to the file unless it has been manually renamed, gaining access to the file could allow an attacker to decode the passwords and reuse them to gain unauthorized access. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.