Ianis Bernard

An Improper Authentication vulnerability in the /api/Cdn/GetFile endpoint of linqi allows unauthenticated, remote attackers to bypass file access controls. The ValidateAnonFileAccess function incorrectly grants access if an 'AnonFile' query parameter containing exactly 256 characters is provided. While this flaw allows bypassing the intended authorization check, the actual security impact is negligible; the exposed resources are strictly limited to minified JavaScript and CSS files that contain no sensitive data and are already publicly accessible via a standard CDN.

A Server-Side Request Forgery (SSRF) vulnerability in the custom process creation feature of linqi allows an authenticated attacker to probe internal network components. By crafting a specific process containing an HTTP Request component, an attacker can force the server to send arbitrary HTTP requests. By observing the varying application responses (Success, Failed, or 504 Gateway Time-out), the attacker can determine the status of internal ports, leading to internal network reconnaissance.

**Name of the Vulnerable Software and Affected Versions** linqi (affected versions not specified) **Description** The application contains hardcoded cryptographic keys and employs a weak algorithm with a limited ASCII charset to dynamically generate Initialization Vectors (IVs) for AES/CBC encryption. This implementation makes known-plaintext attacks feasible, where an attacker can deduce the plaintext by comparing it with the ciphertext. An attacker with local access can decrypt sensitive obfuscated strings, such as `ConnectionString` values containing database credentials located in the `appsettings.json` file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Alludo MindManager versions prior to 25.0.208 **Description** Alludo MindManager on Windows allows attackers to potentially execute code as other local users on the same machine by writing DLL files to directories within victims' DLL search paths. **Recommendations** Update Alludo MindManager to version 25.0.208 or later.

**Name of the Vulnerable Software and Affected Versions** Unicom Focal Point version 7.6.1 **Description** A Cross Site Scripting issue was found. The `val` parameter in `SettingController` for the "/fp/admin/settings/loginpage" endpoint and the `rootserviceurl` parameter in `FriendsController` for the "/fp/admin/settings/friends" endpoint are vulnerable to stored XSS attacks when entered by an admin. **Recommendations** For Unicom Focal Point version 7.6.1, consider disabling the `val` parameter in `SettingController` and the `rootserviceurl` parameter in `FriendsController` as a temporary workaround until a patch is available. Restrict access to the "/fp/admin/settings/loginpage" and "/fp/admin/settings/friends" endpoints to minimize the risk of exploitation. Avoid using the `val` and `rootserviceurl` parameters in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Unicom Focal Point version 7.6.1 **Description** An issue was discovered where the database is encrypted with a hardcoded key, making it easier to recover the cleartext data. **Recommendations** For Unicom Focal Point version 7.6.1, consider changing the hardcoded key to a unique, user-defined key to improve encryption security. As a temporary workaround, restrict access to the database to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Unicom Focal Point version 7.6.1 **Description** An issue was discovered in ReportController, allowing a user with administrative privilege to perform SQL injection via the `image` parameter during a delete report image operation. **Recommendations** For Unicom Focal Point version 7.6.1, consider restricting access to the delete report image operation to prevent potential SQL injection attacks until a patch is available. As a temporary workaround, limit the privileges of users who can perform this operation to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Nintex Automation versions 5.6 through 5.7 **Description** The issue concerns insecure deserialization of user input. **Recommendations** For versions 5.6 and 5.7, update to version 5.8 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Nintex Automation versions 5.6 through 5.7 **Description** The issue concerns configuration files in the K2 SmartForms Designer folder that contain passwords readable by unauthorized users. **Recommendations** For Nintex Automation versions 5.6 through 5.7, update to version 5.8 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** IBL Software Engineering Visual Weather versions prior to 7.3.10 IBL Software Engineering Visual Weather versions prior to 8.6.0 **Description** A security issue has been identified in the Product Delivery Service (PDS) component of IBL Software Engineering Visual Weather and derived products, where the PDS pipeline utilizes the IPDS pipeline with Message Editor Output Filters enabled. This allows a remote unauthenticated attacker to send unauthenticated requests to execute the IPDS pipeline with specially crafted Form Properties, enabling remote execution of arbitrary Python code. This could lead to a full system compromise of the affected server, particularly if Visual Weather services are run under a privileged user account. **Recommendations** Upgrade to version 7.3.10 or higher. Upgrade to version 8.6.0 or higher.

**Name of the Vulnerable Software and Affected Versions** PlexTrac versions 1.61.3 through 2.8.1 **Description** The issue is related to the deserialization of untrusted data in PlexTrac's Runbooks modules, allowing object injection and arbitrary file writes. **Recommendations** For versions 1.61.3 through 2.8.1, update to a version that contains a fix for this issue. As a temporary workaround, consider disabling the deserialization of untrusted data in the Runbooks modules until a patch is available. Restrict access to the Runbooks modules to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PlexTrac versions 1.61.3 through 2.8.1 **Description** The issue is a Server-Side Request Forgery (SSRF) vulnerability in PlexTrac, allowing requests to internal system resources. **Recommendations** For PlexTrac versions 1.61.3 through 2.8.1, update to a version after 2.8.1 to resolve the issue. As a temporary workaround, consider restricting access to internal system resources until a patch is available.

**Name of the Vulnerable Software and Affected Versions** PlexTrac versions 1.61.3 through 2.8.1 **Description** The issue affects PlexTrac due to an external control of file name or path vulnerability, allowing local code inclusion through the use of an undocumented API endpoint. **Recommendations** For versions 1.61.3 through 2.8.1, update to version 2.8.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the undocumented API endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** PlexTrac versions 1.61.3 through 2.8.1 **Description** The issue is related to the deserialization of untrusted data in PlexTrac, specifically in the Runbooks modules, allowing object injection and arbitrary file writes. This enables attackers to perform malicious actions. **Recommendations** For versions 1.61.3 through 2.8.1, update to version 2.8.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the Runbooks modules to minimize the risk of exploitation. Avoid using the affected modules until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: IBM Security Verify Access Appliance versions 10.0.0 through 10.0.8 Description: The issue is related to the failure to neutralize special elements, which could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. This could potentially lead to the execution of arbitrary code. Recommendations: For IBM Security Verify Access Appliance versions 10.0.0 through 10.0.8, consider disabling the functionality that allows remote authenticated attackers to send specially crafted requests until a patch is available. Restrict access to the system to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: IBM Security Verify Access Appliance versions 10.0.0 through 10.0.8 Description: The issue concerns the presence of hard-coded credentials, such as a password or cryptographic key, used for inbound authentication, outbound communication to external components, or encryption of internal data. Recommendations: For versions 10.0.0 through 10.0.8, consider disabling the use of hard-coded credentials as a temporary workaround until a patch is available. Restrict access to the appliance to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: IBM Security Verify Access Appliance versions 10.0.0 through 10.0.8 Description: The issue concerns hard-coded credentials, such as a password or cryptographic key, used by the appliance for its own inbound authentication, outbound communication to external components, or encryption of internal data. This poses serious cybersecurity risks. Recommendations: For versions 10.0.0 through 10.0.8, consider disabling the use of hard-coded credentials as a temporary workaround until a patch is available. Restrict access to the appliance to minimize the risk of exploitation. Avoid using the affected appliance for sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MISP versions prior to 2.4.158 **Description** An issue was discovered in MISP where PHAR deserialization can occur. **Recommendations** For versions prior to 2.4.158, update to version 2.4.158 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** MISP versions prior to 2.4.156 **Description** An issue was discovered that allows Local File Inclusion via the custom terms file setting in the `app/View/Users/terms.ctp` file. **Recommendations** For versions prior to 2.4.156, update to version 2.4.156 or later to resolve the issue. As a temporary workaround, consider restricting access to the `terms.ctp` file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** MISP versions prior to 2.4.156 **Description** An issue was discovered where the `generateServerSettings` function in `app/Model/Server.php` does not restrict access to the CLI, potentially leading to Server-Side Request Forgery (SSRF). **Recommendations** For versions prior to 2.4.156, update to version 2.4.156 or later to resolve the issue. As a temporary workaround, consider restricting access to the `generateServerSettings` function to the CLI only, until a patch is available.