Jason Parker

**Name of the Vulnerable Software and Affected Versions** Catalis (previously Icon Software) CMS360 (affected versions not specified) **Description** The issue allows a remote, unauthenticated attacker to view sensitive court documents by modifying document and other identifiers in URLs. The impact varies based on the intention and configuration of a specific CMS360 installation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Tyler Technologies Court Case Management Plus (affected versions not specified) **Description** The issue allows a remote attacker to authenticate as any user by manipulating at least the 'CmWebSearchPfp/Login.aspx?xyzldk=' and 'payforprint CM/Redirector.ashx?userid=' parameters. The vulnerable "pay for print" feature was removed on or around 2023-11-01. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Tyler Technologies Court Case Management Plus (affected versions not specified) **Description** The issue concerns insufficient permission checks in public court record platforms, allowing unauthorized access to sealed, confidential, and unreleased records. A remote, unauthenticated attacker can enumerate and access sensitive files using the `tiffserver/tssp.aspx` endpoint with the `FN` parameter. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Court Case Management Plus (affected versions not specified) Tyler Technologies Court Case Management Plus (affected versions not specified) **Description** The issue concerns insufficient permission checks in public court record platforms from multiple vendors, allowing unauthorized public access to sealed, confidential, and unreleased information. A specific instance involves Tyler Technologies Court Case Management Plus, where a remote, unauthenticated attacker can enumerate directories using the `tiffserver/te003.aspx` or `te004.aspx` API endpoints, specifically the `ifolder` parameter. **Recommendations** For Court Case Management Plus, restrict access to the `tiffserver/te003.aspx` and `te004.aspx` API endpoints to prevent directory enumeration. For Tyler Technologies Court Case Management Plus, avoid using the `ifolder` parameter in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Tyler Technologies Civil and Criminal Electronic Filing (affected versions not specified) **Description** The issue allows an unauthenticated, remote attacker to upload, delete, and view files by manipulating the 'enky' parameter in the Upload.aspx endpoint. This enables unauthorized access to potentially sensitive information. **Recommendations** As a temporary workaround, consider restricting access to the Upload.aspx endpoint until a patch is available. Avoid using the `enky` parameter in the Upload.aspx endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Asterisk Open Source versions 1.2.x through 1.2.26 Asterisk Open Source versions 1.4.x through 1.4.18 Asterisk Business Edition versions A.x.x through B.2.5.0 Asterisk Business Edition versions C.x.x through C.1.6.1 AsteriskNOW versions 1.0.x through 1.0.1 Appliance Developer Kit versions before 1.4 revision 109393 s800i versions 1.0.x through 1.1.0.1 **Description** The issue allows remote attackers to access the SIP channel driver via a crafted `From` header. **Recommendations** For Asterisk Open Source versions 1.2.x through 1.2.26, update to version 1.2.27 or later. For Asterisk Open Source versions 1.4.x through 1.4.18, update to version 1.4.18.1 or later. For Asterisk Business Edition versions A.x.x through B.2.5.0, update to version B.2.5.1 or later. For Asterisk Business Edition versions C.x.x through C.1.6.1, update to version C.1.6.2 or later. For AsteriskNOW versions 1.0.x through 1.0.1, update to version 1.0.2 or later. For Appliance Developer Kit versions before 1.4 revision 109393, update to revision 109393 or later. For s800i versions 1.0.x through 1.1.0.1, update to version 1.1.0.2 or later.