Julia Zduńczyk

**Name of the Vulnerable Software and Affected Versions** WaveView versions prior to 6.44.44 **Description** The WaveView client allows users to execute a limited set of predefined commands and scripts on a connected WaveStore Server. A malicious attacker with high privileges can execute arbitrary OS commands on the server by exploiting a path traversal flaw in the `showerr` script. **Recommendations** Update to version 6.44.44 or later.

**Name of the Vulnerable Software and Affected Versions** WaveView versions prior to 6.44.44 **Description** A malicious attacker with high-privileges can read or delete files, with the permissions of the `dvr` user, on the server using path traversal in the `alog` script. The issue affects systems where users execute a restricted set of predefined commands and scripts on a connected WaveStore Server. **Recommendations** Update to version 6.44.44 or later.

**Name of the Vulnerable Software and Affected Versions** WaveView versions prior to 6.44.44 **Description** The WaveView client allows users to execute a limited set of predefined commands and scripts on a connected WaveStore Server. A malicious actor with elevated privileges can read or delete any file on the server due to a path traversal flaw in the `ilog` script. This script operates with root privileges. **Recommendations** Update to version 6.44.44 or later.