An Insecure Direct Object Reference (IDOR) in PTC ThingWorx v9.5.0 allows attackers to view sensitive information, including PII, regardless of access level.

PTC ThingWorx Platform through 8.3.0 is vulnerable to a directory traversal attack on ZIP files via a POST request.

An issue was discovered in PTC ThingWorx Platform 6.5 through 8.2. There is reflected XSS in the SQUEAL search function.

An issue was discovered in PTC ThingWorx Platform 6.5 through 8.2. There is a hardcoded encryption key.

An issue was discovered in PTC ThingWorx Platform 6.5 through 8.2. There is password hash exposure to privileged users.

Vulnerability in Scriptcase version 9.4.019 that consists of a Cross-Site Scripting (XSS), due to the lack of input validation, affecting the “id_form_msg_title” parameter, among others. This vulnerability could allow a remote user to send a specially crafted URL to a victim and retrieve their credentials.

Path traversal vulnerability in Scriptcase version 9.4.019, in /scriptcase/devel/compat/nm_edit_php_edit.php (in the “subpage” parameter), which allows unauthenticated remote users to bypass SecurityManager's intended restrictions and list and/or read a parent directory via a “/...” or directly into a path used in the POST parameter “field_file” by a web application.

Vulnerability in the Scriptcase application version 9.4.019, which involves the arbitrary upload of a file via /scriptcase/devel/lib/third/jquery_plugin/jQuery-File-Upload/server/php/ via a POST request. An attacker could upload malicious files to the server due to the application not properly verifying user input.

When performing an online tag generation to devices which communicate using the ControlLogix protocol, a machine-in-the-middle, or a device that is not configured correctly, could deliver a response leading to unrestricted or unregulated resource allocation. This could cause a denial-of-service condition and crash the Kepware application. By default, these functions are turned off, yet they remain accessible for users who recognize and require their advantages.

PTC Creo Elements/Direct License Server exposes a web interface which can be used by unauthenticated remote attackers to execute arbitrary OS commands on the server.