Victor A. Morales

**Name of the Vulnerable Software and Affected Versions** Altec DocLink version 4.0.336.0 **Description** The software has insecure .NET Remoting endpoints exposed over TCP and HTTP/SOAP via `Altec.RDCHostService.exe` using the ObjectURI "doclinkServer.soap". The service does not require authentication and is vulnerable to unsafe object unmarshalling. This allows remote attackers to read arbitrary files from the underlying system by specifying local file paths. Attackers can also coerce SMB authentication via UNC paths and write arbitrary files to server locations. Because writable paths may be web-accessible under IIS, this can result in unauthenticated remote code execution or denial of service through file overwrite. **Recommendations** Update to a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Calero VeraSMART versions prior to 2022 R1 **Description** The application uses static machineKey values configured for the VeraSMART web application and stored in 'C:Program Files (x86)VeramarkVeraSMARTWebRootweb.config'. An attacker obtaining these keys can create a valid ASP.NET ViewState payload, bypassing integrity validation. This leads to server-side deserialization and remote code execution within the IIS application context. **Recommendations** Update to version 2022 R1 or later.

**Name of the Vulnerable Software and Affected Versions** Calero VeraSMART versions prior to 2026 R1 **Description** The software contains hardcoded static AES encryption keys within the `Veramark.Framework.dll` module, specifically in the `Veramark.Core.Config` class. These keys are used to encrypt the password of the service account stored in `C:VeraSMART Dataapp.settings`. An attacker with local access can extract these keys from the `Veramark.Framework.dll` module and decrypt the stored credentials. The recovered credentials can then be used to authenticate to the Windows host, potentially leading to local privilege escalation depending on the privileges of the configured service account. **Recommendations** Update to version 2026 R1 or later.

**Name of the Vulnerable Software and Affected Versions** Calero VeraSMART versions prior to 2022 R1 **Description** An unauthenticated .NET Remoting HTTP service is exposed on TCP port 8001 in affected versions. The service publishes default ObjectURIs, including `EndeavorServer.rem` and `RemoteFileReceiver.rem`, and allows the use of SOAP and binary formatters with TypeFilterLevel set to Full. A remote attacker can invoke the exposed remoting endpoints to perform arbitrary file read and write operations via the `WebClient` class. This can allow retrieval of sensitive files, such as `WebRootweb.config`, potentially disclosing IIS machineKey validation and decryption keys. These keys can be used to generate a malicious ASP.NET ViewState payload, achieving remote code execution within the IIS application context. Supplying a UNC path can trigger outbound SMB authentication from the service account, potentially exposing NTLMv2 hashes for relay or offline cracking. **Recommendations** Update to version 2022 R1 or later.

**Name of the Vulnerable Software and Affected Versions** Entrust Corp Printer Manager versions D3.18.4-3 and below **Description** An issue in the Printer Manager System of Entrust Corp Printer Manager allows attackers to execute a directory traversal via a crafted POST request. **Recommendations** For Entrust Corp Printer Manager versions D3.18.4-3 and below, update to a patched version to prevent directory traversal attacks. As a temporary workaround, consider restricting access to the Printer Manager System until a patch is available. Avoid using crafted POST requests in the affected system until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Alvaria, Inc Unified IP Unified Director versions prior to 7.2SP2 **Description** The issue allows a remote attacker to execute arbitrary code via the `source` and `filename` parameters to the "ProcessUploadFromURL.jsp" component. **Recommendations** For versions prior to 7.2SP2, update to version 7.2SP2 or later to resolve the issue. As a temporary workaround, consider restricting access to the "ProcessUploadFromURL.jsp" component until a patch is available. Avoid using the `source` and `filename` parameters in the affected component until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Entrust Instant Financial Issuance (formerly known as Cardwizard) versions 6.8.x and earlier, 6.9.0, 6.9.1, 6.9.2, 6.10.0 **Description** The issue concerns the use of a DLL library with a custom AES encryption process that relies on static hard-coded key values, which are not uniquely generated per installation of the software. This, combined with an encrypted password obtainable from "WebAPI.cfg.xml", makes decryption trivial and can lead to privilege escalation on the Windows host. **Recommendations** For versions 6.8.x and earlier, 6.9.0, 6.9.1, 6.9.2, 6.10.0, consider updating to a version that does not use static hard-coded key values for AES encryption, or temporarily restrict access to the DCG.Security.dll library until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Entrust Instant Financial Issuance (On Premise) Software versions 6.10.0, 6.9.0, 6.9.1, 6.9.2, and 6.8.x and earlier **Description** The issue concerns a configuration file, specifically `WebAPI.cfg.xml`, which is left behind after the installation process. This file can be accessed without authentication on HTTP port 80 by guessing the correct IIS webroot path. It contains system configuration parameter names and values, including sensitive configuration values that are encrypted. **Recommendations** For versions 6.10.0, 6.9.0, 6.9.1, 6.9.2, and 6.8.x and earlier, consider restricting access to the `WebAPI.cfg.xml` file to prevent unauthorized access until a patch is available. As a temporary workaround, restrict access to the HTTP port 80 to minimize the risk of exploitation. Avoid using guessable IIS webroot paths for sensitive configuration files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MCL-Net version 4.3.5.8788 **Description** A Directory Browsing issue allows attackers to gain sensitive information about the configured databases via the "/file" endpoint. This endpoint is accessible on the default port 5080. **Recommendations** For MCL-Net version 4.3.5.8788, consider restricting access to the "/file" endpoint as a temporary workaround until a patch is available.