Safvan Parakkal

**Name of the Vulnerable Software and Affected Versions** Zenitel AlphaWeb XE version 11.2.3.10 **Description** An issue in the component /php/script uploads.php allows attackers to execute a directory traversal. **Recommendations** For Zenitel AlphaWeb XE version 11.2.3.10, consider restricting access to the /php/script uploads.php component until a patch is available. As a temporary workaround, avoid using the vulnerable component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zenitel AlphaWeb XE version 11.2.3.10 **Description** The issue is related to a local file inclusion vulnerability. It affects the component `amc uploads.php`. There is no information provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** For Zenitel AlphaWeb XE version 11.2.3.10, consider restricting access to the `amc uploads.php` component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Hikvision Interactive Tablet DS-D5B86RB/B version 2.3.0 build220119 **Description** Insecure default configurations in the Hikvision Interactive Tablet allow attackers to execute arbitrary commands. **Recommendations** For version 2.3.0 build220119, consider changing the default configurations to secure settings to prevent the execution of arbitrary commands. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** INOTEC Sicherheitstechnik WebServer CPS220/64 version 3.3.19 **Description** The issue allows a remote attacker to read arbitrary files via absolute path traversal. For example, using the "/cgi-bin/display?file=/etc/passwd" URI, an attacker can access sensitive files. There is also a mention of potential code execution via the /etc/passwd file, although the primary impact described is file reading. **Recommendations** For INOTEC Sicherheitstechnik WebServer CPS220/64 version 3.3.19, consider restricting access to the /cgi-bin/display API endpoint to minimize the risk of exploitation. Avoid using the `file` parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.