Paula Januszkiewicz

**Name of the Vulnerable Software and Affected Versions** Automatic-Systems SOC FL9600 FastLine lego T04E00 (affected versions not specified) **Description** The issue allows a remote attacker to obtain sensitive information via a directory traversal attack. This can be achieved by exploiting the `csvServer.php` endpoint with a specially crafted `dir` parameter containing a `..` sequence. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the `csvServer.php` endpoint to minimize the risk of exploitation. Avoid using the `dir` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Automatic Systems SOC FL9600 FirstLane version V06 lego T04E00 Automatic Systems SOC FL9600 FastLine version v.legoT04E00 **Description** An issue in Automatic Systems SOC FL9600 allows a remote attacker to obtain sensitive information because there is an automatic systems super admin account with a hardcoded password, specifically `astech`. The attacker can exploit this via the admin login credentials. **Recommendations** For version V06 lego T04E00, consider changing the hardcoded password `astech` for the super admin account to prevent unauthorized access. For version v.legoT04E00, restrict access to the admin login credentials to minimize the risk of exploitation. As a temporary workaround, consider disabling the admin login feature until a patch is available.