Tanya Secker

**Name of the Vulnerable Software and Affected Versions** Plixer International Scrutinizer NetFlow & sFlow Analyzer versions prior to 9.0.1.19899 **Description** The issue concerns a lack of user permission validation in the cgi-bin/userprefs.cgi component. This allows remote attackers to create new user accounts with administrator privileges by exploiting the `newuser`, `pwd`, and `selectedUserGroup` parameters. **Recommendations** For versions prior to 9.0.1.19899, update to version 9.0.1.19899 or later to resolve the issue. As a temporary workaround, consider restricting access to the cgi-bin/userprefs.cgi component to prevent unauthorized account creation.

**Name of the Vulnerable Software and Affected Versions** Plixer International Scrutinizer NetFlow & sFlow Analyzer versions 8.6.2.16204 through 9.0.1.19899 **Description** Multiple SQL injection vulnerabilities allow remote attackers to execute arbitrary SQL commands via the `addip` parameter to "cgi-bin/scrut fa exclusions.cgi", the `getPermissionsAndPreferences` parameter to "cgi-bin/login.cgi", or possibly certain parameters to "d4d/alarms.php" as demonstrated by the `search str` parameter. **Recommendations** For versions 8.6.2.16204 through 9.0.1.19899, update to version 9.0.1.19899 or later to resolve the issue. As a temporary workaround, consider restricting access to the "cgi-bin/scrut fa exclusions.cgi" and "cgi-bin/login.cgi" endpoints until a patch is available. Avoid using the `addip` and `getPermissionsAndPreferences` parameters in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Plixer International Scrutinizer NetFlow & sFlow Analyzer versions 8.6.2.16204 through 9.0.1.19899 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `newUser` parameter in the cgi-bin/userprefs.cgi file. This might not be considered a vulnerability if an administrator already has the privileges to create arbitrary script. **Recommendations** For versions 8.6.2.16204 through 9.0.1.19899, update to version 9.0.1.19899 or later to resolve the issue. As a temporary workaround, consider restricting access to the cgi-bin/userprefs.cgi file to minimize the risk of exploitation. Avoid using the `newUser` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Plixer International Scrutinizer NetFlow and sFlow Analyzer versions 8.6.2.16204 through 9.0.1.19898 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `standalone` parameter in the `cgi-bin/scrut fa exclusions.cgi` endpoint. This enables attackers to execute malicious scripts on the victim's browser. **Recommendations** For versions 8.6.2.16204 through 9.0.1.19898, update to version 9.0.1.19899 or later to resolve the issue. As a temporary workaround, consider restricting access to the `cgi-bin/scrut fa exclusions.cgi` endpoint to minimize the risk of exploitation. Avoid using the `standalone` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Tableau Server versions 8.0.x through 8.0.6 Tableau Server versions 8.1.x through 8.1.1 **Description** A SQL injection issue allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. If the guest user is enabled, this can also be exploited by unauthenticated remote attackers. **Recommendations** For Tableau Server versions 8.0.x through 8.0.6, update to version 8.0.7 or later. For Tableau Server versions 8.1.x through 8.1.1, update to version 8.1.2 or later.