Jamie Harris

**Name of the Vulnerable Software and Affected Versions** OpenTSDB (affected versions not specified) D-Link DIR-X4860 (affected versions not specified) **Description** The issue arises from insufficient validation of parameters passed to the legacy HTTP query API, allowing for the injection of crafted OS commands and the execution of malicious code on the host system. This is due to an incomplete fix for a previously disclosed vulnerability. The regex validation implemented to restrict input does not work as intended, enabling crafted commands to bypass validation. **Recommendations** For OpenTSDB, as a temporary workaround, consider disabling the legacy HTTP query API until a patch is available. For D-Link DIR-X4860, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenTSDB (affected versions not specified) **Description** The issue is caused by insufficient validation of parameters reflected in error messages by the legacy HTTP query API and the logging endpoint. This allows an attacker to inject and execute malicious JavaScript within the browser of a targeted OpenTSDB user. The issue is related to a reflected XSS vulnerability. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.