Stefan Mettler

**Name of the Vulnerable Software and Affected Versions:** MINOVA TTA version 11.17.0 **Description:** The MINOVA TTA service exposes authentication FTP credentials through debug port 1604, allowing unauthenticated remote access to active FTP accounts containing sensitive internal data and import structures. Debug ports 1602, 1603, and 1636 also expose service architecture information and system activity logs. In environments where the FTP server is integrated into automated business processes like EDI or data integration, this could lead to data manipulation, extraction, or abuse. **Recommendations:** MINOVA TTA version 11.17.0: Isolate or disable debug ports 1602, 1603, 1604, and 1636. MINOVA TTA version 11.17.0: Rotate FTP credentials.

**Name of the Vulnerable Software and Affected Versions** FAST LTA Silent Brick WebUI versions prior to 2.63.04 **Description** A critical OS Command Injection issue has been identified, allowing remote attackers to execute arbitrary operating system commands via specially crafted input. This issue arises due to improper handling of untrusted input, which is passed directly to system-level commands without adequate sanitization or validation. Successful exploitation could allow attackers to execute arbitrary commands on the affected system, potentially resulting in unauthorized access, data leakage, or full system compromise. The affected WebUI parameters are `hd` and `pi`. **Recommendations** For versions prior to 2.63.04, update to version 2.63.04 or later to resolve the issue. As a temporary workaround, consider restricting access to the `hd` and `pi` parameters in the WebUI to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FAST LTA Silent Brick WebUI versions prior to 2.63.04 **Description** A Reflected Cross-Site Scripting (XSS) issue has been discovered, allowing attackers to inject malicious JavaScript code into web pages viewed by users. This occurs when user-supplied input is improperly handled and reflected directly in the output of a web page without proper sanitization or encoding. Exploiting this issue, an attacker can execute arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking, data theft, and other malicious actions. Affected WebUI parameters are `h`, `hd`, `p`, `pi`, `s`, `t`, `x`, `y`. **Recommendations** For versions prior to 2.63.04, update to version 2.63.04 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected parameters `h`, `hd`, `p`, `pi`, `s`, `t`, `x`, `y` in the WebUI until a patch is applied.