Lennert Preuth

**Name of the Vulnerable Software and Affected Versions** Visual Planning Admin Center 8 versions prior to v.1 Build 240207 **Description** The issue is related to insufficient access checks, allowing attackers with non-administrative accounts to utilize functions normally reserved for administrators. This can lead to the obtainment of different types of configured credentials and potentially elevate their privileges to administrator level. **Recommendations** For versions prior to v.1 Build 240207, update to version v.1 Build 240207 or later to resolve the issue. As a temporary workaround, consider restricting access to administrative functions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Stilog Visual Planning version 8 **Description** An authentication bypass issue was found, allowing an unauthenticated attacker to obtain an administrative API token. **Recommendations** For Stilog Visual Planning version 8, consider restricting access to administrative API endpoints until a patch is available. As a temporary workaround, limit the use of administrative API tokens to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Stilog Visual Planning version 8 **Description** An authentication bypass issue was found, allowing an unauthenticated attacker to brute-force the password reset PINs of administrative users. **Recommendations** For Stilog Visual Planning version 8, consider temporarily restricting access to the password reset functionality until a patch is available. As a mitigation measure, limit the number of attempts to reset the PIN to prevent brute-force attacks. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Stilog Visual Planning version 8 **Description** An XML external entity (XXE) vulnerability was found in the software. It allows an authenticated attacker to access local server files and exfiltrate data to an external server. **Recommendations** For Stilog Visual Planning version 8, consider disabling XML external entities or restricting access to sensitive files as a temporary workaround until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Papaya Viewer version 1.0.1449 **Description** An issue was discovered where user-supplied input in the form of DICOM or NIFTI images can be loaded into the Papaya web application without sanitization. This allows the injection of arbitrary JavaScript code into image metadata, which is executed when the metadata is displayed in the Papaya web application. **Recommendations** For Papaya Viewer version 1.0.1449, as a temporary workaround, consider disabling the loading of user-supplied DICOM or NIFTI images into the Papaya web application until a patch is available. Restrict access to the image metadata display feature to minimize the risk of exploitation. Avoid using the Papaya web application to load untrusted images until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.