Peter Kruse

Name of the Vulnerable Software and Affected Versions: VisNetic WebSite version 3.5 Description: The issue allows remote attackers to obtain the full pathname of the server. This is achieved by sending a request that contains a folder that does not exist, which in turn leaks the pathname in an error message. For example, this can be demonstrated using a request to ` vti bin/fpcount.exe`. Recommendations: For VisNetic WebSite version 3.5, consider restricting access to the ` vti bin` directory to minimize the risk of exploitation. Additionally, as a temporary workaround, avoid using the `fpcount.exe` executable until a patch is available or the issue is otherwise resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.