Manjyot Singh

Name of the Vulnerable Software and Affected Versions Kaleris YMS version 7.2.2.1 Description Incorrect access control in Kaleris YMS version 7.2.2.1 allows authenticated attackers with only the shipping/receiving role to view the truck's dashboard resources. Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions Kaleris YMS version 7.2.2.1 Description A flaw exists in the login process of Kaleris YMS version 7.2.2.1, enabling attackers to circumvent login checks and gain unauthorized access to application resources. Recommendations Update to a newer version that addresses this login bypass issue.

**Name of the Vulnerable Software and Affected Versions** DPMAdirektPro version 4.1.5 **Description** The issue allows for DLL Hijacking by placing a malicious DLL in a directory, which is then loaded by the application instead of the legitimate DLL. This results in the malicious DLL loading with the same privileges as the application, causing a privilege escalation. **Recommendations** For DPMAdirektPro version 4.1.5, consider restricting access to directories where the application loads DLLs to prevent malicious DLLs from being loaded. As a temporary workaround, ensure that all required legitimate DLLs are present in the expected directories to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Mettler Toledo FreeWeight.Net Web Reports Viewer version 8.4.0 (440) **Description** A cross-site scripting (reflected XSS) issue was found, allowing an attacker to inject malicious scripts via the `IW SessionID ` parameter. This enables the execution of unauthorized code on the victim's browser. **Recommendations** For Mettler Toledo FreeWeight.Net Web Reports Viewer version 8.4.0 (440), consider restricting access to the `IW SessionID ` parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Smart Toilet Lab - Motius version 1.3.11 **Description** The issue is related to the Smart Toilet Lab - Motius running with debug mode turned on, which exposes sensitive information defined in the Django settings file through a verbose error page. This occurs because the `DEBUG` mode is set to `True`. **Recommendations** For version 1.3.11, set `DEBUG` to `False` to prevent the exposure of sensitive information through verbose error pages. As a temporary workaround, consider restricting access to the error pages until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Canlineapp Online version 1.1 **Description** The issue concerns improper authorization checks, allowing users with the `Auditor` role to create an audit template, a feature designated for the `supervisor` role. This results from broken access control, enabling auditors to successfully create audit templates from their accounts. **Recommendations** For Canlineapp Online version 1.1, consider restricting the `create audit template` function to only the `supervisor` role as a temporary workaround until a patch is available. Restrict access to the audit template creation feature for users with the `Auditor` role to minimize the risk of exploitation.