A buffer overflow issue exists in the routine handling URL encoding for the "csp" (so called G-WAN servlets) sub-directory.
Exploiting the vulnerability results in remotely being able to execute shellcode on the system.
I reported the problems to the G-WAN developer, who began by very kindly thanking me for my effort and asked for the details.
After of course sharing all the findings, he returns after an hour claiming he can’t for his life understand what I mean.
Since there is no archive of old versions he will now pretend like it never happened. I find this reaction very sad.
The author claims the problems were solved independently a couple of days before being reported.