Sandro Einfeldt

Name of the Vulnerable Software and Affected Versions: Lawo AG vsm LTC Time Sync (vTimeSync) (affected versions not specified) Description: The web server is affected by a "..." (triple dot) path traversal issue. An unauthenticated remote attacker could download arbitrary files from the operating system by sending a specially crafted HTTP request. The exploitation is limited to files with specific extensions, such as .exe or .txt. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Nitro PDF Pro versions prior to 13.70.8.82 Nitro PDF Pro versions 14.x prior to 14.26.1.0 **Description** The issue allows Local Privilege Escalation in the MSI Installer because custom actions occur unsafely in repair mode. CertUtil is run in a conhost.exe window, and there is a mechanism allowing CTRL+o to launch cmd.exe as NT AUTHORITYSYSTEM. **Recommendations** For Nitro PDF Pro versions prior to 13.70.8.82, update to version 13.70.8.82 or later. For Nitro PDF Pro versions 14.x prior to 14.26.1.0, update to version 14.26.1.0 or later. As a temporary workaround, consider restricting the use of the MSI Installer in repair mode until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Qognify VMS Client Viewer versions 7.1 and higher **Description** A DLL hijacking issue was identified, allowing local users to execute arbitrary code and obtain higher privileges via careful placement of a malicious DLL, if specific pre-conditions are met. **Recommendations** For Qognify VMS Client Viewer versions 7.1 and higher, consider restricting access to sensitive areas of the system to minimize the risk of exploitation until a patch is available. As a temporary workaround, consider disabling any functionality that relies on loading external DLLs until a fix is provided. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Craft CMS versions 3.7.36 and earlier **Description** The issue allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send `X-Forwarded-Host` to the "/index.php?p=admin/actions/users/send-password-reset-email" URI. The vendor's position is that a customer can already work around this by adjusting the configuration, i.e., by not using the default configuration. **Recommendations** For Craft CMS versions 3.7.36 and earlier, consider adjusting the configuration to avoid using the default settings as a workaround to mitigate the risk of exploitation. As a temporary workaround, consider restricting access to the "/index.php?p=admin/actions/users/send-password-reset-email" URI until a more permanent solution is available. Avoid using the default configuration to minimize the risk of exploitation.