Ikki

**Name of the Vulnerable Software and Affected Versions** NetSupport Manager Agent versions 11.00 for Linux, 9.50 for Solaris, and 11.00 for Mac OS X **Description** A stack-based buffer overflow issue allows remote attackers to execute arbitrary code via a long control hostname to TCP port 5405. **Recommendations** For NetSupport Manager Agent version 11.00 for Linux, update to a version that fixes this issue. For NetSupport Manager Agent version 9.50 for Solaris, update to a version that fixes this issue. For NetSupport Manager Agent version 11.00 for Mac OS X, update to a version that fixes this issue. As a temporary workaround, consider restricting access to TCP port 5405 to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: DFLabs PTK versions 0.1 through 1.0 Description: The issue allows remote attackers to execute arbitrary commands via shell metacharacters after an arg1= sequence in a filename within a forensic image. This is due to a problem in the get file type function in lib/file content.php. Recommendations: For DFLabs PTK versions 0.1 through 1.0, consider restricting access to the get file type function in lib/file content.php until a patch is available. As a temporary workaround, avoid using filenames with shell metacharacters after an arg1= sequence in a forensic image.

**Name of the Vulnerable Software and Affected Versions** Philips Electronics VOIP841 DECT Phone versions 1.0.4.50 through 1.0.4.80 **Description** The issue concerns a back door "service" account with a predefined password, making it easier for remote attackers to gain access. **Recommendations** For versions 1.0.4.50 through 1.0.4.80, consider changing the password of the "service" account to a strong and unique one to prevent unauthorized access. As a temporary workaround, restrict access to the device until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Philips Electronics VOIP841 DECT Phone versions 1.0.4.50 through 1.0.4.80 **Description** The issue allows remote authenticated users to read arbitrary files via a .. (dot dot) in a GET request to API endpoints such as `/` or other unspecified endpoints, by manipulating the `file path` variable. This can potentially expose sensitive files, including `save.dat` and `apply.log`, which may contain credentials like the Skype username and password. **Recommendations** For versions 1.0.4.50 through 1.0.4.80, consider restricting access to sensitive files and directories to prevent unauthorized reading. As a temporary workaround, restrict access to the web server's GET request functionality until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Philips Electronics VOIP841 DECT Phone versions 1.0.4.50 through 1.0.4.80 **Description** A cross-site scripting (XSS) issue exists in the web server component, allowing remote attackers to inject arbitrary web script or HTML via the request URL. This occurs because the web server does not properly handle the request URL in a 404 web error page. **Recommendations** For versions 1.0.4.50 through 1.0.4.80, as a temporary workaround, consider restricting access to the web server component until a patch is available. Avoid using the web server component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Boa version 0.93.15 Description: The issue allows remote attackers to change the admin password stored in memory by sending a long username in an HTTP Basic Authentication request. This is due to the failure of the Intersil isl3893 extensions to prevent stack writes from entering memory locations used for string constants. Recommendations: For Boa version 0.93.15, consider restricting access to the HTTP Basic Authentication endpoint until a fix is available. As a temporary workaround, avoid using the `username` variable in the affected API endpoint, such as "/api/v1/login", to minimize the risk of exploitation.