Johannes Greil

**Name of the Vulnerable Software and Affected Versions** Kiuwan Cloud (affected versions not specified) Kiuwan SAST on-premise (KOP) versions prior to 2.8.2509.4 **Description** Kiuwan SAST improperly authorizes SSO logins for mapped user accounts that have been locally disabled. This allows users whose accounts are disabled in the user admin settings to maintain access to the application. **Recommendations** Update Kiuwan SAST on-premise (KOP) to version 2.8.2509.4 or later. At the moment, there is no information about a newer version that contains a fix for this vulnerability for Kiuwan Cloud.

**Name of the Vulnerable Software and Affected Versions** Kiuwan SAST version master.1808.p685.q13371 **Description** The issue arises when the Kiuwan Local Analyzer uploads scan results to the Kiuwan SAST web application, which processes XML files containing external entities. This leads to an XML external entity injection attack. An attacker with privileges to scan source code can extract files from the operating system with the application server user's rights, potentially gaining access to sensitive files like configuration and passwords. The attacker can also initiate connections to internal systems for port scans or access other internal functions and applications. **Recommendations** For version master.1808.p685.q13371, consider disabling the XML entity resolution feature in the Kiuwan SAST web application until a patch is available. Restrict access to the "Code Security" module to minimize the risk of exploitation. Avoid using the Kiuwan Local Analyzer to upload scan results to the Kiuwan SAST web application until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Kiuwan SAST version <master.1808.p685.q13371> **Description** The issue concerns an API endpoint "/saas/rest/v1/info/application" that allows access to information about any application, using the `application` parameter. This endpoint lacks proper access control, enabling other authenticated users to read application information without the necessary rights. **Recommendations** For Kiuwan SAST version <master.1808.p685.q13371>, consider restricting access to the "/saas/rest/v1/info/application" API endpoint until a proper fix is available. As a temporary workaround, limit the use of the `application` parameter in this endpoint to minimize the risk of unauthorized access.

**Name of the Vulnerable Software and Affected Versions** Kiuwan SAST: versions prior to the fixed version Kiuwan Local Analyzer (KLA) (affected versions not specified) **Description** The Kiuwan Local Analyzer (KLA) Java scanning application contains several hard-coded secrets in plain text format, potentially compromising the confidentiality of scan results. Credentials were found in the JAR files, including `insight.github.user` and `insight.github.password` in the "InsightServicesConfig.properties" file, and an encryption key in the "es/als/security/Encryptor.properties" file. At least one specified username corresponds to a valid GitHub account. **Recommendations** For Kiuwan SAST, update to a version that includes the fix for this issue. For Kiuwan Local Analyzer (KLA), consider removing or securely storing the hard-coded secrets, such as `insight.github.user` and `insight.github.password`, and the encryption key in the "es/als/security/Encryptor.properties" file, until a patch is available. As a temporary workaround, restrict access to the "lib.engine/insight/optimyth-insight.jar" file and its contents to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Kiuwan SAST version <master.1808.p685.q13371> **Description** The issue allows for an unauthenticated reflected cross-site scripting attack on the login page "login.html" when SSO (single sign-on) is enabled. This is due to the `message` request parameter values being directly included in a JavaScript block in the response. This is particularly critical in business environments using AD SSO authentication, where attackers could potentially steal AD passwords. **Recommendations** For Kiuwan SAST version <master.1808.p685.q13371>, as a temporary workaround, consider restricting access to the "login.html" page or disabling the SSO feature until a patch is available. Avoid using the `message` parameter in the login page until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ADB broadband gateways / routers based on the Epicentro platform (affected versions not specified) **Description** A privilege escalation issue affects the devices, allowing attackers to access the command line interface (CLI) if it was previously disabled by the ISP, escalate privileges, and conduct further attacks. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ADB broadband gateways / routers based on the Epicentro platform (affected versions not specified) **Description** The issue allows attackers to gain root access on the device and extract sensitive configuration data, such as VoIP credentials, or attack the internal network of the ISP. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ADB broadband gateways / routers based on the Epicentro platform (affected versions not specified) **Description** The issue allows attackers to bypass authorization and access settings within the web interface that are normally restricted to end users, such as those controlled by the ISP. This could enable an attacker to modify settings, for example, by enabling the TELNET server. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Harman AMX devices (affected versions not specified) **Description** The issue is related to the `setUpSubtleUserAccount` function in `/bin/bw`, which has a hardcoded password for the `1MB@tMaN` account. This makes it easier for remote attackers to obtain access via SSH or HTTP sessions. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Harman AMX devices (affected versions not specified) **Description** The issue is related to the `setUpSubtleUserAccount` function in `/bin/bw`, which has a hardcoded password for the BlackWidow account. This makes it easier for remote attackers to obtain access via SSH or HTTP sessions. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Shopizer versions 1.1.5 and earlier **Description** The issue allows remote attackers to modify the account settings of arbitrary users. This is achieved via the `customer.customerId` parameter to the "shop/profile/register.action" endpoint. **Recommendations** For Shopizer versions 1.1.5 and earlier, avoid using the `customer.customerId` parameter in the "shop/profile/register.action" endpoint until the issue is resolved. As a temporary workaround, consider restricting access to the "shop/profile/register.action" endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GroundWork Monitor Enterprise version 6.7.0 **Description** The issue allows remote authenticated users to execute arbitrary commands. This is possible through vectors involving file editing in the System File Overview feature of the NeDi component. **Recommendations** For GroundWork Monitor Enterprise version 6.7.0, consider restricting access to the System File Overview feature in the NeDi component until a patch is available. As a temporary workaround, limit the ability to edit files in this feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GroundWork Monitor Enterprise version 6.7.0 **Description** The issue concerns the Foundation webapp admin interface in GroundWork Monitor Enterprise, where it uses the nagios account as the owner of writable files under /usr/local/groundwork. This setup allows attackers to bypass intended filesystem restrictions by leveraging access to a GroundWork script. **Recommendations** For GroundWork Monitor Enterprise version 6.7.0, consider changing the ownership of writable files under /usr/local/groundwork to a more restrictive account to prevent unauthorized access. Additionally, restrict access to GroundWork scripts to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GroundWork Monitor Enterprise version 6.7.0 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. The vulnerabilities are related to vectors involving the foundation-webapp/admin/ directory, the NeDi component, or the Noma component. **Recommendations** For GroundWork Monitor Enterprise version 6.7.0, update to a version that addresses these XSS vulnerabilities. As a temporary workaround, consider restricting access to the foundation-webapp/admin/ directory, as well as the NeDi and Noma components, to minimize the risk of exploitation. Avoid using these components until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** GroundWork Monitor Enterprise version 6.7.0 **Description** The issue allows remote authenticated users to execute arbitrary commands and obtain sensitive information by leveraging a JOSSO SSO cookie. This is related to the monarch scan.cgi in the MONARCH component. **Recommendations** For GroundWork Monitor Enterprise version 6.7.0, consider restricting access to the monarch scan.cgi until a patch is available. As a temporary workaround, limit the use of JOSSO SSO cookies to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GroundWork Monitor Enterprise version 6.7.0 **Description** The issue is related to an XML External Entity (XXE) problem, allowing remote authenticated users to read arbitrary files. This is possible through the Profile Importer feature in monarch.cgi in the MONARCH component, when an XML document containing an external entity declaration is used in conjunction with an entity reference. **Recommendations** For GroundWork Monitor Enterprise version 6.7.0, consider disabling the Profile Importer feature in monarch.cgi until a patch is available to prevent exploitation of the XXE issue. Restrict access to the MONARCH component to minimize the risk of unauthorized file reading.

**Name of the Vulnerable Software and Affected Versions** GroundWork Monitor Enterprise version 6.7.0 **Description** The issue allows remote authenticated users to bypass intended access restrictions. This can be achieved via a direct request for a log file or a configuration file. **Recommendations** For GroundWork Monitor Enterprise version 6.7.0, consider restricting direct access to log and configuration files as a temporary workaround until a patch is available.

**Name of the Vulnerable Software and Affected Versions** GroundWork Monitor Enterprise version 6.7.0 **Description** The issue allows remote authenticated users to obtain sensitive information via a direct request for certain files or contexts, including (1) a configuration file, (2) a database dump, or (3) the Tomcat status context. **Recommendations** For GroundWork Monitor Enterprise version 6.7.0, restrict access to sensitive files and contexts, such as configuration files, database dumps, and the Tomcat status context, to prevent unauthorized access. Consider disabling direct requests for these sensitive resources until a fix is available.

**Name of the Vulnerable Software and Affected Versions** GroundWork Monitor Enterprise version 6.7.0 **Description** The issue allows remote authenticated users to execute arbitrary commands via shell metacharacters in the scan functionality in the System / NeDi menu, specifically in the html/System-NeDi.php file of the NeDi component. **Recommendations** For GroundWork Monitor Enterprise version 6.7.0, consider restricting access to the NeDi component or the System / NeDi menu to minimize the risk of exploitation until a patch is available. As a temporary workaround, avoid using the scan functionality in the System / NeDi menu.

**Name of the Vulnerable Software and Affected Versions** GroundWork Monitor Enterprise version 6.7.0 **Description** The issue allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks. **Recommendations** For GroundWork Monitor Enterprise version 6.7.0, at the moment, there is no information about a newer version that contains a fix for this issue.