Hidde Smit

Name of the Vulnerable Software and Affected Versions: Videx CyberAudit-Web versions prior to 9.5 Description: An authentication bypass issue was found, allowing an attacker to create a valid session without credentials by exploiting a logic flaw. Recommendations: For versions prior to 9.5, update to a version later than 9.5, as a patch has been made available for all instances, including those that are End of Maintenance (EOM). If support is required, contact support@videx.com for assistance.

Name of the Vulnerable Software and Affected Versions: Videx CyberAudit-Web versions prior to 1.1.3 Description: A Server-Side Request Forgery (SSRF) vulnerability was discovered in the videx-legacy-ssl web service of Videx’s CyberAudit-Web. This issue could lead to unauthorized access to the underlying infrastructure. Recommendations: For versions prior to 1.1.3, update to a version after 1.1.3 to patch the vulnerability. As a temporary workaround, consider restricting access to the videx-legacy-ssl web service to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SO Planning tool versions prior to 1.52.02 **Description** A SQL Injection issue has been found in the SO Planning tool when the public view setting is enabled, allowing an attacker to gain access to the underlying database. **Recommendations** For versions prior to 1.52.02, update to version 1.52.02 to resolve the issue. As a temporary workaround, consider disabling the public view setting until the update is applied.

**Name of the Vulnerable Software and Affected Versions** SO Planning online planning tool versions prior to 1.52.02 **Description** A Remote Code Execution (RCE) vulnerability is found in the SO Planning online planning tool, allowing an attacker to upload executable files to a publicly accessible folder without verifying any requirements. This leads to the possibility of executing code on the underlying system when the file is triggered. **Recommendations** For versions prior to 1.52.02, update to version 1.52.02 to resolve the issue. As a temporary workaround, consider restricting access to the file upload feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SO Planning versions prior to 1.52.02 **Description** A Remote Code Execution (RCE) vulnerability is found in the SO Planning online planning tool. If the public view setting is enabled, an attacker can upload a PHP-file that will be available for execution for a few milliseconds before it is removed, leading to execution of code on the underlying system. **Recommendations** For versions prior to 1.52.02, update to version 1.52.02 to resolve the issue. As a temporary workaround, consider disabling the public view setting until the update is applied. Restrict access to the PHP-file upload feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SO Planning tool versions prior to 1.52.02 **Description** An unauthenticated Insecure Direct Object Reference (IDOR) to the database has been found in the SO Planning tool that occurs when the public view setting is enabled. An attacker could use this issue to gain access to the underlying database by exporting it as a CSV file. **Recommendations** For versions prior to 1.52.02, update to version 1.52.02 to resolve the issue. As a temporary workaround, consider disabling the public view setting until the update is applied. Restrict access to the database export functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Enphase IQ Gateway (formerly known as Envoy) versions 4.x through 8.x **Description** The issue is related to an improper neutralization of special elements used in a command, allowing OS command injection. This vulnerability is present in an internal script and poses a serious threat, as attackers can exploit a flaw in these scripts. **Recommendations** For Enphase IQ Gateway (formerly known as Envoy) versions 4.x through 8.x, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Enphase IQ Gateway (formerly known as Envoy) versions 4.x through 8.x and less than 8.2.4225 **Description** The issue is related to a Path Traversal vulnerability, which allows an unauthenticated attacker to access or create arbitrary files via a URL parameter. This vulnerability affects Enphase IQ Gateway, formerly known as Envoy, and can be exploited by attackers to compromise exposed systems. **Recommendations** For Enphase IQ Gateway versions 4.x through 8.x and less than 8.2.4225, upgrade to version 8.2.4225 or later to mitigate the threat. As a temporary workaround, consider restricting access to the vulnerable URL parameter until a patch is available. Avoid using the vulnerable URL parameter in the affected Enphase IQ Gateway until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Enphase IQ Gateway (formerly known as Envoy) versions 4.x through 8.0 and less than 8.2.4225 **Description** The issue is related to an Improper Limitation of a Pathname to a Restricted Directory, also known as a Path Traversal vulnerability. This vulnerability allows file manipulation through a URL parameter in the Enphase IQ Gateway. The endpoint requires authentication, meaning an attacker would need to have valid credentials to exploit this issue. **Recommendations** For versions 4.x through 8.0 and less than 8.2.4225, update to version 8.2.4225 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable URL parameter until a patch is available. Avoid using the vulnerable URL parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Enphase IQ Gateway (formerly known as Envoy) versions 4.x through 8.x and versions prior to 8.2.4225 **Description** The issue is related to an Improper Neutralization of Special Elements used in a Command, also known as 'Command Injection' vulnerability. This vulnerability can be exploited through an URL parameter of an authenticated endpoint, allowing OS Command Injection. **Recommendations** For Enphase IQ Gateway versions 4.x through 8.x and versions prior to 8.2.4225, update to version 8.2.4225 or later to resolve the issue. As a temporary workaround, consider restricting access to the authenticated endpoint until a patch is available. Avoid using the vulnerable URL parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Enphase IQ Gateway (formerly known as Enphase) versions 4.x through 7.x **Description** The issue is related to an Improper Neutralization of Special Elements used in a Command, also known as a Command Injection vulnerability. This vulnerability can be exploited via the `url` parameter of an authenticated endpoint, allowing OS Command Injection. **Recommendations** For versions 4.x through 7.x, update the system's security measures promptly to ensure the vulnerability is resolved. As a temporary workaround, consider restricting access to the authenticated endpoint until a patch is available. Avoid using the `url` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Envoy versions 4.x through 5.x **Description** The issue is related to inadequate encryption strength, allowing an authenticated attacker to execute arbitrary OS commands via encrypted package upload. **Recommendations** For Envoy versions 4.x through 5.x, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ITarian platform (SAAS and on-premise) (affected versions not specified) **Description** A remote attacker can obtain sensitive information due to the failure to set the HTTP Only flag within the Service Desk module. This issue can be exploited in combination with a successful Cross-Site Scripting attack to gain access to the management interface. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ITarian platform versions prior to 6.35.37347.20040 **Description** The ITarian platform has a vulnerability in its approval process for procedures, which allows a malicious actor with a valid session token to create a procedure, bypass approval, and execute it. This results in the ability to perform arbitrary code execution and full system take-over on all agents. **Recommendations** For versions prior to 6.35.37347.20040, update to version 6.35.37347.20040 or later to resolve the issue. As a temporary workaround, consider restricting access to the procedure function to minimize the risk of exploitation. Additionally, restrict the use of valid session tokens to only necessary users to reduce the attack surface.

**Name of the Vulnerable Software and Affected Versions** ITarian Endpoint Manage Communication Client versions prior to 6.43.41148.21120 **Description** The issue is related to the ITarian Endpoint Manage Communication Client being compiled with insecure OpenSSL settings. This allows a malicious actor with low privileges access to a system to escalate their privileges to SYSTEM by abusing an insecure openssl.conf lookup. **Recommendations** For versions prior to 6.43.41148.21120, update to version 6.43.41148.21120 or later to resolve the issue. As a temporary workaround, consider restricting access to the openssl.conf file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Qlik Sense Enterprise on Windows (affected versions not specified) **Description** A vulnerability in Qlik Sense Enterprise on Windows could allow a remote attacker to enumerate domain user accounts. An attacker could exploit this vulnerability by sending authentication requests to an affected system. A successful exploit could allow the attacker to compare the response time that are returned by the affected system to determine which accounts are valid user accounts. Affected systems are only vulnerable if they have LDAP configured. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Kaseya VSA versions prior to 9.5.6 **Description** The issue concerns an XML External Entity (XXE) vulnerability. It allows an attacker to submit malicious XML to the system via the API endpoint "/vsaWS/KaseyaWS.asmx". When this XML is processed, external entities are insecurely resolved and fetched by the system, potentially returning sensitive information to the attacker. This can be exploited to read any file on the server that the web server process can access. Additionally, it can be used to perform HTTP(s) requests within the local network, allowing an attacker to use the Kaseya system to pivot into the local network. **Recommendations** For versions prior to 9.5.6, update to version 9.5.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/vsaWS/KaseyaWS.asmx" API endpoint until a patch is applied. Avoid using the `XmlRequest` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Kaseya VSA versions prior to 9.5.7 **Description** The issue is related to an authenticated reflective Cross Site Scripting (XSS) attack. Specifically, the `result` parameter of the `/HelpDeskTab/rcResults.asp` endpoint and the `FileName` parameter of the `/done.asp` endpoint are insecurely returned in the requested web page, allowing for XSS attacks. For example, an attacker could use the endpoint `/HelpDeskTab/rcResults.asp` with a malicious `result` parameter, such as `<script>alert(document.cookie)</script>`, to execute a Cross Site Scripting attack. Similarly, the `/done.asp` endpoint is vulnerable with a crafted `FileName` parameter. **Recommendations** For versions prior to 9.5.7, update to version 9.5.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the `/HelpDeskTab/rcResults.asp` and `/done.asp` endpoints until a patch is applied. Avoid using the `result` parameter in the `/HelpDeskTab/rcResults.asp` endpoint and the `FileName` parameter in the `/done.asp` endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Kaseya VSA versions prior to 9.5.6 **Description** The issue allows for semi-authenticated local file inclusion, where the contents of arbitrary files can be returned by the web server. A valid session ID is required but can be easily obtained. This can be exploited through a crafted request, such as visiting a specific URL with a manipulated `path` parameter, for example, `https://x.x.x.x/KLC/js/Kaseya.SB.JS/js.aspx?path=C:KaseyaWebPagesdl.asp`. **Recommendations** For versions prior to 9.5.6, update to version 9.5.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the `js.aspx` endpoint until a patch is applied. Avoid using the `path` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Harbor versions 1.9.* through 2.0.* **Description** The issue allows exposure of sensitive information to an unauthorized actor. Authenticated users can exploit an enumeration vulnerability in Harbor. The vulnerability is present in the "/users" API endpoint, which is supposed to be restricted to administrators. This restriction can be bypassed, and information can be obtained via the "search" functionality. Non-administrator users can list all usernames and user IDs by sending a GET request to "/api/users/search" with the parameter `username` and value ` `. **Recommendations** For Harbor versions 1.9.* through 2.0.*, update to either version 2.1.0 or 2.0.3 to fix this issue immediately. As a temporary workaround is not available, updating to the patched version is the recommended course of action.