Nicholas Page

**Name of the Vulnerable Software and Affected Versions** BEIMS Contractor Web versions prior to 5.7.139 **Description** A SQL Injection issue exists in BEIMS Contractor Web, a legacy product that is no longer maintained or patched by the vendor. This allows an unauthorized user to retrieve sensitive database contents through unsanitized parameter input. The issue occurs due to improper input validation on the `/BEIMSWeb/contractor.asp` endpoint. Successful exploitation requires the `contractor.asp` endpoint to be open to the internet and allows attackers to execute arbitrary SQL commands, potentially compromising the confidentiality, integrity, and availability of the database. **Recommendations** Versions prior to 5.7.139 are vulnerable. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Formulatrix Rock Maker Web versions 3.2.1.1 and later **Description** A Local File Inclusion (LFI) vulnerability in the Render function of Formulatrix Rock Maker Web allows a remote attacker to obtain sensitive data via arbitrary code execution. This could enable a malicious actor to execute malicious scripts, automatically downloading configuration files in known locations to exfiltrate data, including credentials. The lack of rate limiting also allows a malicious actor to enumerate the filesystem of the host machine, potentially leading to full host compromise. **Recommendations** For versions 3.2.1.1 and later, update to a version that includes a fix for this issue, as no specific workaround is provided for these versions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.