Vsevolod Shamov

**Name of the Vulnerable Software and Affected Versions** Studio 42 elFinder version 2.1.64 **Description** The issue allows an arbitrary attacker to expose secrets and perform remote code execution (RCE) by copying files with unauthorized extensions between server directories. This is due to incorrect access control. **Recommendations** For Studio 42 elFinder version 2.1.64, consider restricting file copying operations between server directories to prevent unauthorized access until a patch is available. As a temporary workaround, restrict access to sensitive files and directories to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Open-AudIT versions up to 3.5.3 **Description** The issue concerns the web interface of Open-AudIT, where sensitive information such as SSH secrets, Windows passwords, and SNMP strings are hidden from users using HTML 'password field' obfuscation. However, an attacker can use Developer tools or similar methods to modify this obfuscation, making the credentials visible. **Recommendations** For Open-AudIT versions up to 3.5.3, update to a version later than 3.5.3 to resolve the issue. As a temporary workaround, consider restricting access to the web interface to minimize the risk of credential exposure.