Joris Aerts

**Name of the Vulnerable Software and Affected Versions** Altium 365 (affected versions not specified) **Description** A missing authentication issue exists in the Altium 365 SearchService. A legacy SOAP endpoint exposes search index operations without requiring authentication, session tokens, or identity verification. An unauthenticated network attacker with a target workspace identifier can interact with the search index, crossing tenant boundaries. This allows the attacker to read indexed contents, such as component data, project and folder names, and user metadata, as well as inject, modify, or delete search index entries. These actions impact the search index rather than the underlying vault data, potentially disclosing sensitive workspace information and compromising the integrity and availability of search results. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

A path traversal vulnerability exists in the Altium Enterprise Server ComparisonService due to missing filename sanitization in the Gerber file upload APIs. A regular authenticated workspace user can supply a crafted filename in the multipart Content-Disposition header to escape the intended temporary upload directory and write arbitrary files to any location on the server filesystem. Because content-controlled files can be written to web-accessible directories, this can be escalated to remote code execution in the context of the service account. It can also be used to overwrite application binaries or configuration files, leading to service takeover or denial of service.

**Name of the Vulnerable Software and Affected Versions** Altium Enterprise Server (affected versions not specified) **Description** A path traversal issue exists in the Viewer StorageController due to improper handling of file path route parameters. In on-premise deployments utilizing local filesystem storage, an authenticated user can provide a URL-encoded absolute path in a Viewer storage API request. This action causes the system to discard the configured storage root, enabling the reading of arbitrary files from the server filesystem. This can lead to the disclosure of the server's master configuration, including database credentials, signing key locations, certificate passwords, and OAuth secrets, potentially resulting in a full compromise of the server and its data. Cloud deployments are not affected as they use object storage and do not enable this component. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Altium Forum (affected versions not specified) **Description** A stored cross-site scripting (XSS) issue exists in the Altium Forum because of insufficient server-side input sanitization of forum post content. An authenticated attacker can inject arbitrary JavaScript into forum posts. This injected script is stored and executed when other users view the affected post. Successful exploitation allows the attacker’s payload to execute within the context of the victim’s authenticated Altium 365 session, potentially enabling unauthorized access to workspace data, including design files and workspace settings. Exploitation requires a user to view a malicious forum post. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Altium 365 (affected versions not specified) **Description** A stored cross-site scripting (XSS) issue exists in the user profile text fields. Insufficient server-side input sanitization allows authenticated users to inject arbitrary HTML and JavaScript payloads using whitespace-based attribute parsing bypass techniques. The injected payload is persisted and executed when other users view the affected profile page, potentially allowing session token theft, phishing attacks, or malicious redirects. Exploitation requires an authenticated account and user interaction to view the crafted profile. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Altium Support Center (affected versions not specified) **Description** A stored cross-site scripting (XSS) issue exists in the `AddComment` API endpoint. The vulnerability is caused by a lack of server-side input sanitization. While the client interface applies HTML escaping, the backend stores arbitrary HTML and JavaScript received through modified POST requests. This allows for the execution of arbitrary JavaScript in the browser of users who view support cases, including those with elevated privileges. The `AddComment` endpoint is vulnerable. The vulnerable parameter is the POST request body. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Altium Workflow Engine (affected versions not specified) **Description** A stored cross-site scripting (XSS) issue exists because of insufficient server-side input sanitization within workflow form submission APIs. An authenticated user can inject arbitrary JavaScript into workflow data. When an administrator views the affected workflow, the injected payload executes in the administrator’s browser, potentially allowing privilege escalation, including the creation of new administrator accounts, session token theft, and the execution of administrative actions. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Altium Forum (affected versions not specified) **Description** A stored cross-site scripting (XSS) issue exists because of insufficient server-side input validation of forum post content. An authenticated attacker can inject arbitrary JavaScript into forum posts. This injected script is then stored and executed when other users view the compromised post. Successful exploitation allows the attacker’s code to run within the context of the victim’s authenticated Altium 365 session, potentially granting unauthorized access to workspace data, including design files and workspace settings. Exploitation requires a user to view a malicious forum post. The API endpoint for forum post creation is susceptible to this issue, allowing injection of malicious code through the forum post content. The vulnerable parameter is the forum post content itself. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.