Pablo Alcarria

**Name of the Vulnerable Software and Affected Versions** DinoRANK (affected versions not specified) **Description** A Missing Authorization issue has been found, allowing an attacker to access invoices of any user. This is possible by accessing the endpoint "/facturas/YYYY-MM/SDRYYMM-XXXXX.pdf" due to a lack of access control. The PDF filename can be obtained through OSINT, insecure network traffic, or brute force. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: eSigna versions 1.0 through 1.5 Description: The issue is related to an Insecure Direct Object Reference (IDOR) vulnerability in the eSignaViewer component. This vulnerability allows an unauthenticated attacker to access arbitrary files in the document system by manipulating file paths and object identifiers. Recommendations: For eSigna versions 1.0 through 1.5, consider restricting access to the eSignaViewer component until a patch is available. As a temporary workaround, limit the manipulation of file paths and object identifiers to prevent unauthorized access to the document system.

**Name of the Vulnerable Software and Affected Versions** eSigna product versions 1.0 through 1.5 **Description** The issue concerns Path Traversal and Insecure Direct Object Reference (IDOR) vulnerabilities in the eSignaViewer component. An unauthenticated attacker can access arbitrary files in the document system by manipulating file paths and object identifiers. **Recommendations** For eSigna product versions 1.0 through 1.5, consider restricting access to the eSignaViewer component until a patch is available. As a temporary workaround, limit the manipulation of file paths and object identifiers to prevent unauthorized access to the document system. At the moment, there is no information about a newer version that contains a fix for this vulnerability.