Tomáš Jelínek

**Name of the Vulnerable Software and Affected Versions** PCS versions 0.9.139 and earlier **Description** A race condition exists in the pcsd web UI backend, allowing remote authenticated users to gain privileges by sending a command that is checked for security after another user is authenticated. This issue can be exploited to send a request that would be evaluated as originating from a different user, potentially allowing the attacker to perform actions with permissions of a more privileged user. **Recommendations** For PCS versions 0.9.139 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PCs versions 0.9.139 and earlier **Description** The issue allows remote authenticated users to execute arbitrary commands via "escape characters" in a URL. This is related to the pcsd web UI. **Recommendations** For versions 0.9.139 and earlier, consider restricting access to the pcsd web UI until a fix is available. As a temporary workaround, avoid using URLs with "escape characters" in the pcsd web UI to minimize the risk of exploitation.