Dorsett Controls Security Bulletins (2024-07-03) Security vulnerabilities identified within InfoScan versions 1.32, 1.33, and 1.35 Summary The following issues have been identified in versions 1.32, 1.33, and 1.35 of InfoScan. Issue 1: Potential leakage of sensitive information through response headers and rendered JavaScript prior to user login. - Risk: Attackers gain a strong starting point for login attempts, as they can determine whether 2FA is enabled and obtain usernames. Attackers may attempt password brute force, but reused passwords are more likely to be exploited. Issue 2: The InfoScan client download page can be intercepted via a proxy, revealing filenames on the system. This may lead to additional information disclosure by manually searching for sensitive data. - Risk: Directory traversal vulnerability may expose secrets and reveal other vulnerabilities within the software. Required Actions In light of this security vulnerability, we strongly recommend taking immediate action to patch the affected systems. Affected InfoScan versions should be updated to version 1.38 or higher. To install the security patch, your administrator must log in to InfoScan and select System Prefs from the menu. Once the System Prefs application is open, navigate to Maintenance and click the Install Now button in the Ready To Install section. If you are an offline customer (InfoScan has no internet access), you must download the update from the Dorsett Controls Customer Portal by selecting the InfoScan Update tile, downloading the update file, and following the instructions provided on the portal. For assistance with updates, please contact support@dorsettcontrols.com.