Jorian Van Den Hout

**Name of the Vulnerable Software and Affected Versions** Iagona ScrutisWeb versions 2.1.37 and prior **Description** The issue is related to a cryptographic vulnerability. This vulnerability could allow an unauthenticated user to decrypt encrypted passwords into plaintext. **Recommendations** For Iagona ScrutisWeb versions 2.1.37 and prior, update to a version later than 2.1.37 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Iagona ScrutisWeb versions 2.1.37 and prior **Description** The issue is related to a remote code execution vulnerability that could allow an unauthenticated user to upload a malicious payload and execute it. This is due to an unlimited file upload of dangerous types, which can be exploited by a remote attacker to execute arbitrary code by uploading an arbitrary file. **Recommendations** For Iagona ScrutisWeb versions 2.1.37 and prior, consider disabling the file upload feature until a patch is available to prevent exploitation of the remote code execution vulnerability. Restrict access to the affected module to minimize the risk of exploitation. Avoid using the file upload functionality in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Iagona ScrutisWeb versions 2.1.37 and prior **Description** The issue exists due to incorrect restriction of the path name to a directory with limited access. Exploitation of this issue may allow a remote attacker to gain direct access to any arbitrary file outside the webroot. Researchers found several flaws in the ScrutisWeb ATM fleet monitoring software that can expose ATMs to hacking. **Recommendations** For Iagona ScrutisWeb versions 2.1.37 and prior, update to a version later than 2.1.37 to resolve the issue. As a temporary workaround, consider restricting access to sensitive files and directories outside the webroot to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Iagona ScrutisWeb versions 2.1.37 and prior **Description** The issue is related to an insecure direct object reference vulnerability. This could allow an unauthenticated user to view profile information, including user login names and encrypted passwords. The vulnerability is associated with an error in processing user-controlled authorization keys. **Recommendations** For Iagona ScrutisWeb versions 2.1.37 and prior, update to a version later than 2.1.37 to resolve the issue. As a temporary workaround, consider restricting access to profile information to minimize the risk of exploitation. Avoid using the vulnerable `profile information` endpoint until the issue is resolved. At the moment, there is no information about additional mitigation measures.