Victor Morales

**Name of the Vulnerable Software and Affected Versions** UnForm Server versions prior to 10.1.15 **Description** UnForm Server versions prior to 10.1.15 have an unauthenticated arbitrary file read and SMB coercion issue in the Doc Flow feature’s `arc` endpoint. The Doc Flow module uses the `arc` handler to retrieve and render pages or resources specified by the `pp` parameter without authentication or path restrictions. This allows an unauthenticated remote attacker to read arbitrary files accessible to the service account by supplying local filesystem paths. On Windows, providing a UNC path can coerce the server into initiating outbound SMB authentication, potentially exposing NTLM credentials for offline cracking or relay. **Recommendations** Update UnForm Server to version 10.1.15 or later.

Name of the Vulnerable Software and Affected Versions: Hyland OnBase versions prior to 17.0.2.87 Description: Hyland OnBase is vulnerable to unauthenticated remote code execution via insecure deserialization on the .NET Remoting TCP channel. The service registers a listener on port 6031 with the URI endpoint `TimerServer`, implemented in `Hyland.Core.Timers.dll`. This endpoint deserializes untrusted input using the .NET `BinaryFormatter`, allowing attackers to execute arbitrary code under the context of `NT AUTHORITYSYSTEM`. Recommendations: Update Hyland OnBase to version 17.0.2.87 or later.