Pierre Barre

**Name of the Vulnerable Software and Affected Versions** eGovFramework/egovframe-common-components versions up to and including 4.3.1 **Description** The software contains an unauthenticated file upload issue through the `/utl/wed/insertImage.do` and `/utl/wed/insertImageCk.do` API endpoints. These endpoints accept multipart requests without authentication and store uploaded files on the server. Prior to version 4.1.2, an attacker controls the response MIME type, enabling them to use the application as a file hosting service for arbitrary content. From version 4.1.2, non-image files are served with the `application/octet-stream` content type, preventing attacker control of the content type. The vulnerability allows an unauthenticated attacker to upload files and obtain a download URL. The filename extension is whitelisted, but the attacker controls the file contents. **Recommendations** Versions prior to 4.1.2: Address the attacker-controlled MIME type issue to prevent serving arbitrary content. Versions up to and including 4.3.1: Implement authentication for the `/utl/wed/insertImage.do` and `/utl/wed/insertImageCk.do` endpoints.

**Name of the Vulnerable Software and Affected Versions** AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 **Description** The web administration component (F2MAdmin) includes an unauthenticated prompt upload endpoint at `/AudioCodes files/utils/IVR/diagram/ajaxPromptUploadFile.php`. This script accepts uploaded files and writes them to the `C:F2MAdmintmp` directory using a filename derived from application constants, without authentication, authorization, or file-type validation. An unauthenticated remote attacker can upload or overwrite prompt- or music-on-hold–related files, potentially tampering with IVR audio content or preparing files for further attacks. **Recommendations** Versions prior to 2.6.23 should be updated.

**Name of the Vulnerable Software and Affected Versions** eGovFramework/egovframe-common-components versions up to and including 4.3.1 **Description** The Web Editor image upload functionality within the software uses symmetric encryption for URL parameters but reveals an encryption oracle. This allows attackers to create valid ciphertext for chosen values. The image upload endpoints `/utl/wed/insertImage.do` and `/utl/wed/insertImageCk.do` encrypt server-side paths, filenames, and MIME types, embedding them into a download URL returned to the client. These encrypted parameters are then trusted by other endpoints, such as `/utl/web/imageSrc.do` and `/cmm/fms/getImage.do`. An unauthenticated attacker can exploit this to obtain encrypted representations of attacker-chosen identifiers and replay them to file-serving APIs. This bypasses access controls that rely on the secrecy of encrypted parameters, potentially allowing retrieval of arbitrary stored files without proper authorization. The vulnerable parameters are the encrypted server-side paths, filenames, and MIME types. **Recommendations** Versions prior to 4.3.1 should be used.

**Name of the Vulnerable Software and Affected Versions** AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 **Description** The software contains a flaw due to an authenticated command injection in the fax test functionality implemented by AudioCodes files/TestFax.php. When a fax "send" test is requested, the application constructs a faxsender command line using parameters provided by an attacker and passes it to `RunBatchFile` without sufficient validation or shell-argument sanitization. The resulting batch file is written to a temporary run directory and then executed by a backend service running with SYSTEM privileges. An authenticated attacker with access to the fax test interface can create parameter values that inject additional shell commands into the generated batch file, resulting in arbitrary command execution with SYSTEM privileges. Additionally, due to overly permissive file system permissions on the location where the generated batch files are stored, a local low-privilege user on the server can modify pending batch files to achieve the same privilege escalation. **Recommendations** Versions prior to 2.6.23 should be used.

**Name of the Vulnerable Software and Affected Versions** AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 **Description** The software contains an unauthenticated file read issue through the `download.php` script. The script exposes a file download mechanism without proper access control, enabling unauthenticated remote users to request files from the appliance using attacker-supplied path and filename parameters. While the application limits file extensions, sensitive backup archives can be retrieved, potentially exposing internal databases and credential hashes. Exploitation may lead to the disclosure of administrative password hashes and other sensitive configuration data. The vulnerable endpoint is `/download.php` and utilizes parameters such as `filename` and `path` to retrieve files. **Recommendations** Versions prior to 2.6.23 should be updated.

**Name of the Vulnerable Software and Affected Versions** AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 **Description** The software contains a command injection issue within the license activation process, specifically in the ''ActivateLicense.php'' file located in the ''AudioCodes files'' directory. The application constructs a command for ''fax server lic cmdline.exe'' using a filename derived from a user-supplied license file upload. The file extension, which is controlled by the attacker, is incorporated into the command string without proper validation or sanitization. This allows an authenticated user to inject arbitrary shell commands that are executed with NT AUTHORITYSYSTEM privileges. The vulnerable parameter is the file extension within the uploaded license file. **Recommendations** Versions prior to 2.6.23 should be used.

**Name of the Vulnerable Software and Affected Versions** AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 **Description** The software contains an unauthenticated backup upload endpoint located at `/AudioCodes files/ajaxBackupUploadFile.php` within the F2MAdmin web interface. The script determines a backup folder path from the application configuration, creates the directory if it doesn't exist, and then moves an uploaded file to that location using the attacker-controlled filename, without any authentication, authorization, or file-type validation. On default Windows deployments where the backup directory resolves to the system drive, a remote attacker can upload web server or interpreter configuration files. This can cause a log file or other server-controlled resource to be treated as executable code, allowing subsequent HTTP requests to trigger arbitrary command execution under the web server account, which runs as NT AUTHORITYSYSTEM. **Recommendations** Versions prior to 2.6.23 should be updated.

**Name of the Vulnerable Software and Affected Versions** AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 **Description** The web administration component (F2MAdmin) includes an unauthenticated script-management endpoint at `/AudioCodes files/utils/IVR/diagram/ajaxScript.php`. The `saveScript` action within this endpoint allows writing attacker-supplied data directly to a file path on the server, running with NT AUTHORITYSYSTEM privileges on Windows. This enables a remote, unauthenticated attacker to write arbitrary files into the product’s web-accessible directory structure and subsequently execute them. **Recommendations** Versions prior to 2.6.23 should be updated.

**Name of the Vulnerable Software and Affected Versions** AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 **Description** The web administration component of the software controls Windows services using batch scripts located under `C:F2MAdminF2EAudioCodes filesutilsServices`. These scripts are invoked by PHP using the `system()` function under the `NT AUTHORITYSYSTEM` account when certain service actions are requested through the `ajaxPost.php` endpoint. Overly permissive Access Control Lists (ACLs) allow any authenticated local user to modify the contents of these scripts. By replacing script contents with arbitrary commands, an attacker can achieve local privilege escalation when the modified script is executed as `SYSTEM` during service start or stop operations. **Recommendations** Versions prior to 2.6.23 should be used.

**Name of the Vulnerable Software and Affected Versions** AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 **Description** The AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 are configured with overly permissive file system permissions for the web document root located at C:F2MAdminF2E. Authenticated local users have modify rights on this directory, while the web server process runs with SYSTEM privileges. This allows local users to create or alter server-side scripts within the webroot and then trigger them via HTTP requests, resulting in arbitrary code execution with SYSTEM privileges. **Recommendations** Versions prior to 2.6.23 should be used.

**Name of the Vulnerable Software and Affected Versions** FiberHome AN5506-04-FA firmware versions up to and including RP2631 FiberHome HG6245D versions prior to RP2602 **Description** The HTTP service ('webs') does not properly limit the size of Cookie header values, resulting in a stack-based buffer overflow. Processing a cookie exceeding 511 bytes causes an overrun of a stack buffer, potentially leading to a crash or control of execution. **Recommendations** Update FiberHome AN5506-04-FA firmware to a version later than RP2631. Update FiberHome HG6245D firmware to a version RP2602 or later.

**Name of the Vulnerable Software and Affected Versions** Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA/SaaS deployments) (affected versions not specified) **Description** The software stores user passwords using unsalted SHA-512 hashes, with a fallback to unsalted SHA-1. The hashing is performed using PHP's `hash()` function in multiple files including `server write requests users.php`, `update database.php`, `legacy/Login.php`, and `tests/Unit/Api/IdpControllerTest.php`. The lack of per-user salt makes the hashing unsuitable for password storage, allowing an attacker with access to the password database to recover cleartext passwords through offline dictionary or rainbow table attacks. The code includes logic that migrates legacy SHA-1 hashes to SHA-512 during login, potentially exposing users still utilizing the older hash. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA/SaaS deployments) (affected versions not specified) **Description** The software stores a significant number of sensitive credentials, including database passwords, MySQL root password, SaaS keys, and Portainer admin password, in cleartext files that are world-readable. Any local user or process with access to the host filesystem can retrieve these credentials in plain text, potentially leading to credential theft and full compromise of the appliance. The vendor attributes this to a shared responsibility model, expecting administrators to configure persistent storage encryption. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA/SaaS deployments) (affected versions not specified) **Description** The Vasion Print Virtual Appliance Host and Application contains an undocumented user, `printerlogic`, with a hardcoded SSH public key located in the `~/.ssh/authorized keys` file. A sudoers rule grants the `printerlogic ssh` group ‘NOPASSWD: ALL’ privileges. Possession of the corresponding private key grants an attacker root access to the appliance. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 25.1.102 Vasion Print (formerly PrinterLogic) Application versions prior to 25.1.1413 **Description** Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application are affected by a server-side request forgery (SSRF) issue. The `/var/www/app/console release/hp/badgeSetup.php` script is accessible without authentication and constructs URLs from user-controlled parameters. The `processCurl()` function and PHP’s `file get contents()` function are used without proper validation of the hostname or URL, allowing attackers to make arbitrary HTTP requests to internal resources. This can lead to internal network reconnaissance, credential leakage, pivoting, and data exfiltration. The `hostname/URL` is taken directly from the request without any restrictions. **Recommendations** Update Vasion Print Virtual Appliance Host to version 25.1.102 or later. Update Vasion Print Application to version 25.1.1413 or later.

**Name of the Vulnerable Software and Affected Versions** Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 25.1.102 Vasion Print (formerly PrinterLogic) Application versions prior to 25.1.1413 **Description** The software contains a blind server-side request forgery (SSRF) issue reachable via the `/var/www/app/console release/hp/log off single sign on.php` script. An unauthenticated user can exploit this. The software stores a printer’s host name in the variable `printer vo->str host address` and then builds a URL using this value, sending the request with curl without any validation, whitelisting, or private-network filtering. An attacker can probe internal services, trigger internal actions, or gather intelligence. **Recommendations** Update Vasion Print Virtual Appliance Host to version 25.1.102 or later. Update Vasion Print Application to version 25.1.1413 or later.

**Name of the Vulnerable Software and Affected Versions** Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 25.1.102 Vasion Print (formerly PrinterLogic) Application versions prior to 25.1.1413 **Description** The software contains a blind server-side request forgery (SSRF) issue reachable via the `/var/www/app/console release/lexmark/dellCheck.php` script. An unauthenticated user can exploit this issue. The software stores a printer’s host name in the `printer vo->str host address` variable and then builds a URL to send a request using curl without any validation, whitelisting, or private-network filtering. An attacker can probe internal services, trigger internal actions, or gather intelligence. **Recommendations** Update Vasion Print Virtual Appliance Host to version 25.1.102 or later. Update Vasion Print Application to version 25.1.1413 or later.

**Name of the Vulnerable Software and Affected Versions** Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 25.1.102 Vasion Print (formerly PrinterLogic) Application versions prior to 25.1.1413 **Description** The software contains a server-side request forgery (SSRF) vulnerability. The `/var/www/app/console release/lexmark/update.php` script is accessible from the internet without authentication. The script constructs URLs from user-controlled values and then uses either `curl exec()` or `file get contents()` without proper validation. This allows a remote attacker to supply a hostname and make the server issue requests to internal resources, potentially enabling internal network reconnaissance, pivoting, or data exfiltration. **Recommendations** Update Vasion Print Virtual Appliance Host to version 25.1.102 or later. Update Vasion Print Application to version 25.1.1413 or later.

**Name of the Vulnerable Software and Affected Versions** Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 25.1.102 Vasion Print (formerly PrinterLogic) Application versions prior to 25.1.1413 **Description** The software contains a server-side request forgery (SSRF) vulnerability. The `console release` directory is accessible from the internet without authentication. This directory includes multiple PHP scripts that construct URLs from user-supplied data and then use `curl exec()` or `file get contents()` without sufficient validation. While some files attempt to mitigate SSRF using `filter var()`, these checks are not comprehensive. An unauthenticated remote attacker can provide a hostname, allowing the server to make requests to internal resources, potentially enabling internal network reconnaissance, pivoting, or data exfiltration. **Recommendations** Update Vasion Print Virtual Appliance Host to version 25.1.102 or later. Update Vasion Print Application to version 25.1.1413 or later.

**Name of the Vulnerable Software and Affected Versions** Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 25.1.102 Vasion Print (formerly PrinterLogic) Application versions prior to 25.1.1413 **Description** The software contains a blind server-side request forgery (SSRF) issue reachable via the `/var/www/app/console release/hp/installApp.php` script. An unauthenticated user can exploit this issue. The software stores a printer’s host name in the variable `$printer vo->str host address` and then builds a URL to send a request using curl without any validation, whitelisting, or private-network filtering. An attacker can probe internal services, trigger internal actions, or gather intelligence. **Recommendations** Update Vasion Print Virtual Appliance Host to version 25.1.102 or later. Update Vasion Print Application to version 25.1.1413 or later.