:: Deepquest ::

Backdrop CMS versions 1.7.1 and below suffer from a persistent cross site scripting vulnerability.

WebClientPrint Processor version 2.0.15.109 suffers from a remote code execution vulnerability via print jobs.

RedTeam Pentesting discovered that WebClientPrint Processor (WCPP) does not validate TLS certificates when initiating HTTPS connections. Thus, a man-in-the-middle attacker may intercept and/or modify HTTPS traffic in transit. This may result in a disclosure of sensitive information and the integrity of printed documents cannot be guaranteed. Version 2.0.15.109 is affected.

RedTeam Pentesting discovered that rogue updates trigger a remote code execution vulnerability in WebClientPrint Processor (WCPP). These updates may be distributed through specially crafted websites and are processed without any user interaction as soon as the website is accessed. However, the browser must run with administrative privileges. Version 2.0.15.109 is affected.

RedTeam Pentesting discovered that attackers can configure a proxy host and port to be used when fetching print jobs with WebClientPrint Processor (WCPP). This proxy setting may be distributed via specially crafted websites and is set without any user interaction as soon as the website is accessed. Version 2.0.15.109 is affected.

Progress Sitefinity version 9.1 suffers from cross site scripting, broken session management, and open redirection vulnerabilities.

Automated Logic WebCTRL version 6.5 suffers from an insecure file permission privilege escalation vulnerability.

Automated Logic WebCTRL version 6.1 suffers from path traversal and arbitrary file write vulnerabilities.

Automated Logic WebCTRL version 6.5 suffers from an unrestricted file upload vulnerability that allows for remote code execution.

eCardMAX version 10.5 suffers from a remote SQL injection vulnerability.