Jakub Płatek

Name of the Vulnerable Software and Affected Versions: EZD RP versions prior to 20.19 Description: The issue allows unauthorized access to the "/api/Token/gettoken" endpoint in EZD RP, enabling file manipulation. Recommendations: For versions prior to 20.19, update to version 20.19 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/api/Token/gettoken" endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Naukowa i Akademicka Sieć Komputerowa - Państwowy Instytut Badawczy EZD RP versions 15 through 15.83 Naukowa i Akademicka Sieć Komputerowa - Państwowy Instytut Badawczy EZD RP versions 16 through 16.14 Naukowa i Akademicka Sieć Komputerowa - Państwowy Instytut Badawczy EZD RP versions 17 through 17.1 **Description** The issue allows a logged-in user to change the password of any user, including the root user, which could lead to privilege escalation. **Recommendations** For versions 15 through 15.83, update to version 15.84 or later to resolve the issue. For versions 16 through 16.14, update to version 16.15 or later to resolve the issue. For versions 17 through 17.1, update to version 17.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** EZD RP versions 15 through 15.83 EZD RP versions 16 through 16.14 EZD RP versions 17 through 17.1 **Description** The issue allows a logged-in user to list all users in the system, including those from other organizations. This is due to an Incorrect User Management vulnerability in Naukowa i Akademicka Sieć Komputerowa - Państwowy Instytut Badawczy EZD RP. **Recommendations** For EZD RP versions 15 through 15.83, update to version 15.84 or later to resolve the issue. For EZD RP versions 16 through 16.14, update to version 16.15 or later to resolve the issue. For EZD RP versions 17 through 17.1, update to version 17.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Naukowa i Akademicka Sieć Komputerowa - Państwowy Instytut Badawczy EZD RP versions prior to 19.6 **Description** The issue allows a logged-in user to retrieve sensitive information about IP infrastructure and credentials. **Recommendations** For versions prior to 19.6, update to version 19.6 or later to resolve the issue.