Alex Weber

**Name of the Vulnerable Software and Affected Versions** Cisco SPA100 Series Analog Telephone Adapters (ATAs) (affected versions not specified) **Description** The issue is related to the unsafe handling of user credentials in the web-based management interface, allowing an authenticated, remote attacker to access sensitive information on an affected device. An attacker could exploit this by viewing portions of the web-based management interface, potentially gaining access to administrative credentials and elevated privileges by reusing stolen credentials. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco SPA100 Series Analog Telephone Adapters (ATAs) (affected versions not specified) **Description** The issue is related to improper validation of user-supplied input to the web-based management interface, which could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. An attacker could exploit this by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. The web-based management interface is enabled by default. Additionally, there is a buffer overflow issue in the web-based management interface of the Cisco SPA100 Series IP phones' firmware, which could be exploited by a remote attacker using a specially crafted request to execute arbitrary code with elevated privileges. **Recommendations** For Cisco SPA100 Series Analog Telephone Adapters (ATAs), consider disabling the web-based management interface until a patch is available. Restrict access to the web-based management interface to minimize the risk of exploitation. Avoid using the web-based management interface for critical operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco SPA100 Series Analog Telephone Adapters (ATAs) (affected versions not specified) **Description** The issue is related to improper validation of user-supplied input to the web-based management interface, which could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. An attacker could exploit this by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. The web-based management interface is enabled by default. Additionally, there is a buffer overflow issue in the web-based management interface of the Cisco SPA100 Series IP phones' firmware, which could be exploited by a remote attacker using a specially crafted request to execute arbitrary code with elevated privileges. **Recommendations** For Cisco SPA100 Series Analog Telephone Adapters (ATAs), consider disabling the web-based management interface until a patch is available. Restrict access to the web-based management interface to minimize the risk of exploitation. Avoid using the web-based management interface for critical operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco SPA100 Series Analog Telephone Adapters (ATAs) (affected versions not specified) **Description** The issue is related to improper validation of user-supplied input to the web-based management interface, which could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. An attacker could exploit this by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. The web-based management interface is enabled by default. Additionally, there is a buffer overflow issue in the web-based management interface of the Cisco SPA100 Series IP phones' firmware, which could be exploited by a remote attacker using a specially crafted request to execute arbitrary code with elevated privileges. **Recommendations** For Cisco SPA100 Series Analog Telephone Adapters (ATAs), consider disabling the web-based management interface until a patch is available. Restrict access to the web-based management interface to minimize the risk of exploitation. Avoid using the web-based management interface for critical operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco SPA100 Series Analog Telephone Adapters (ATAs) (affected versions not specified) **Description** The issue is related to improper validation of user-supplied input to the web-based management interface, which could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. An attacker could exploit this by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. The web-based management interface is enabled by default. Additionally, there is a buffer overflow issue in the web-based management interface of the Cisco SPA100 Series IP phones' firmware, which could be exploited by a remote attacker using a specially crafted request to execute arbitrary code with elevated privileges. **Recommendations** For Cisco SPA100 Series Analog Telephone Adapters (ATAs), consider disabling the web-based management interface until a patch is available. Restrict access to the web-based management interface to minimize the risk of exploitation. Avoid using the web-based management interface for critical operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco SPA100 Series Analog Telephone Adapters (ATAs) (affected versions not specified) **Description** The issue is related to improper validation of user-supplied input to the web-based management interface, which could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. An attacker could exploit this by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. The web-based management interface is enabled by default. Additionally, there is a buffer overflow issue in the web-based management interface of the Cisco SPA100 Series IP phones' firmware, which could be exploited by a remote attacker using a specially crafted request to execute arbitrary code with elevated privileges. **Recommendations** For Cisco SPA100 Series Analog Telephone Adapters (ATAs), consider disabling the web-based management interface until a patch is available. Restrict access to the web-based management interface to minimize the risk of exploitation. Avoid using the web-based management interface for critical operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco SPA100 Series (affected versions not specified) **Description** The issue is related to errors in checking user requests to the web-based management interface. It could allow a remote attacker to cause a denial of service condition on an affected device. The problem is due to improper validation of user-supplied requests to the web-based management interface. An attacker could exploit this by sending a crafted request to the interface, potentially causing the device to stop responding and requiring manual intervention for recovery. **Recommendations** For Cisco SPA100 Series, consider restricting access to the web-based management interface until a fix is available. As a temporary workaround, manually monitor the device for any signs of denial of service and be prepared for manual intervention if necessary. Avoid using the web-based management interface for critical operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco SPA100 Series Analog Telephone Adapters (ATAs) (affected versions not specified) **Description** The issue is related to improper input validation in the web-based management interface, allowing an authenticated, remote attacker to view the contents of arbitrary files on an affected device. This could be achieved by sending a crafted request to the web-based management interface, potentially resulting in the disclosure of sensitive information. **Recommendations** For Cisco SPA100 Series Analog Telephone Adapters (ATAs), consider restricting access to the web-based management interface until a fix is available. As a temporary workaround, limit the privileges of authenticated users to minimize the risk of exploitation. Avoid using the web-based management interface for sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco SPA100 Series Analog Telephone Adapters (ATAs) (affected versions not specified) **Description** The issue is related to improper restrictions on configuration information in the web-based management interface, which could allow an authenticated, remote attacker to access sensitive information on an affected device. An attacker could exploit this by sending a request through the web-based management interface. A successful exploit could allow the attacker to return running configuration information that may include sensitive data. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Synology DiskStation Manager (DSM) versions prior to 6.2-23739 **Description** The issue is related to the use of insufficiently random values in the `SYNO.Encryption.GenRandomKey` function, allowing man-in-the-middle attackers to compromise non-HTTPS sessions. **Recommendations** For versions prior to 6.2-23739, update to version 6.2-23739 or later to resolve the issue.