Alejandro Ramos

**Name of the Vulnerable Software and Affected Versions** Hunt CCTV (affected versions not specified) Capture CCTV (affected versions not specified) Hachi CCTV (affected versions not specified) NoVus CCTV (affected versions not specified) Well-Vision Inc DVR systems (affected versions not specified) **Description** The issue allows a remote attacker to bypass authentication in the web interface of the affected systems, enabling them to retrieve the device configuration. **Recommendations** For Hunt CCTV, update to a version that addresses the authentication bypass issue. For Capture CCTV, update to a version that addresses the authentication bypass issue. For Hachi CCTV, update to a version that addresses the authentication bypass issue. For NoVus CCTV, update to a version that addresses the authentication bypass issue. For Well-Vision Inc DVR systems, update to a version that addresses the authentication bypass issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cerberus Helpdesk (affected versions not specified) **Description** The issue concerns multiple SQL injection vulnerabilities that allow remote attackers to execute arbitrary SQL commands. This can be achieved through various parameters and variables, including the `file id` parameter to "attachment send.php", the `$addy`, `$address`, and `$a address` variables in "email parser.php" and "structs.php" respectively, the `kbid` parameter to "cer KnowledgebaseHandler.class.php", the `queues[]` parameter to "addresses export.php", the `$thread` variable to "display.php", and the `ticket` parameter to "display ticket thread.php". **Recommendations** For the `file id` parameter in "attachment send.php", restrict access to this endpoint to minimize the risk of exploitation. For the `$addy`, `$address`, and `$a address` variables in "email parser.php" and "structs.php", avoid using these variables until the issue is resolved. For the `kbid` parameter to "cer KnowledgebaseHandler.class.php", restrict input to prevent SQL injection. For the `queues[]` parameter to "addresses export.php", limit access to authorized users. For the `$thread` variable to "display.php", ensure proper validation of user input. For the `ticket` parameter to "display ticket thread.php", implement input sanitization to prevent SQL injection. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cerberus Helpdesk (affected versions not specified) **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the `kb ask` parameter in the "index.php" file. **Recommendations** For all affected versions, consider restricting access to the `kb ask` parameter in the "index.php" file until a patch is available. As a temporary workaround, avoid using the `kb ask` parameter in the affected endpoint until the issue is resolved.