Dorsett Controls Security Bulletins (2024-07-03) Security vulnerabilities identified within InfoScan versions 1.32, 1.33, and 1.35 Summary The following issues have been found in versions 1.32, 1.33, and 1.35 of InfoScan. Issue 1: Leak of possible sensitive information through the response headers and through the rendered JavaScript prior to user login. - Risk: Threat actors have a good starting point to attempt to login as they will know if 2FA is enabled, and have usernames. Access attempts may be made through password brute force, but more likely re-used passwords. Issue 2: InfoScan client download page can be intercepted with a proxy, to expose filenames located on the system. This can lead to other information leaks by manually looking for sensitive information. - Risk: Directory traversal vulnerability can lead to secrets being exposed and find other vulnerabilities within the software. Required Actions In light of this security vulnerability, we strongly recommend taking immediate action to patch this vulnerability. Affected InfoScan system versions of should update to 1.38 or higher. To install this new security patch, your administrator will need to login to InfoScan and select System Prefs from the menu. Once the System Prefs application is open, select Maintenance, and click the Install Now button in the Ready To Install section. If you are an offline customer (InfoScan has no internet access), you will need to download your update from the Dorsett Controls Customer Portal by selecting the InfoScan Update tile, downloading the update, and following the instructions listed on the portal. For assistance with updates, please contact support@dorsettcontrols.com.