Juan Vazquez

**Name of the Vulnerable Software and Affected Versions** Hunt CCTV (affected versions not specified) Capture CCTV (affected versions not specified) Hachi CCTV (affected versions not specified) NoVus CCTV (affected versions not specified) Well-Vision Inc DVR systems (affected versions not specified) **Description** The issue allows a remote attacker to bypass authentication in the web interface of the affected systems, enabling them to retrieve the device configuration. **Recommendations** For Hunt CCTV, update to a version that addresses the authentication bypass issue. For Capture CCTV, update to a version that addresses the authentication bypass issue. For Hachi CCTV, update to a version that addresses the authentication bypass issue. For NoVus CCTV, update to a version that addresses the authentication bypass issue. For Well-Vision Inc DVR systems, update to a version that addresses the authentication bypass issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DIR-845 versions prior to 1.02b03 D-Link DIR-600 versions prior to 2.17b01 D-Link DIR-645 versions prior to 1.04b11 D-Link DIR-300 rev. B D-Link DIR-865 **Description** An issue was discovered in "soap.cgi?service=WANIPConn1" where Command Injection via shell metacharacters is possible in the `NewInternalClient`, `NewExternalPort`, or `NewInternalPort` element of a SOAP POST request. **Recommendations** For D-Link DIR-845 versions prior to 1.02b03, update to version 1.02b03 or later. For D-Link DIR-600 versions prior to 2.17b01, update to version 2.17b01 or later. For D-Link DIR-645 versions prior to 1.04b11, update to version 1.04b11 or later. For D-Link DIR-300 rev. B and DIR-865, at the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the "soap.cgi?service=WANIPConn1" endpoint to minimize the risk of exploitation. Avoid using the `NewInternalClient`, `NewExternalPort`, or `NewInternalPort` elements in the affected SOAP POST request until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Ektron Content Management System (CMS) versions prior to 8.02 SP5 Description: The issue allows remote attackers to execute arbitrary code with NETWORK SERVICE privileges via crafted XSL data, due to the use of the XslCompiledTransform class with enablescript set to true. Recommendations: For versions prior to 8.02 SP5, update to version 8.02 SP5 or later to resolve the issue. As a temporary workaround, consider disabling the use of the XslCompiledTransform class with enablescript set to true until a patch is available. Restrict access to XSL data to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Radia Client Automation versions prior to 9.1 **Description** The issue is caused by a stack-based buffer overflow in the agent. This allows a remote attacker to execute arbitrary code by sending a large amount of data, potentially in environments lacking relationship-based firewalling. There is no information provided about the estimated number of potentially affected devices worldwide or details about real-world incidents where this issue was exploited. **Recommendations** For versions prior to 9.1, update to version 9.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the agent to minimize the risk of exploitation. Avoid using the affected agent in environments that lack relationship-based firewalling until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Adobe Flash Player versions prior to 11.7.700.261 Adobe Flash Player versions 11.8.x through 12.0.x before 12.0.0.44 Adobe Flash Player versions prior to 11.2.202.336 on Linux **Description** The issue allows remote attackers to execute arbitrary code via unspecified vectors due to an integer underflow. This can potentially lead to the execution of arbitrary code, posing a significant risk. **Recommendations** For Adobe Flash Player versions prior to 11.7.700.261, update to version 11.7.700.261 or later. For Adobe Flash Player versions 11.8.x through 12.0.x, update to version 12.0.0.44 or later. For Adobe Flash Player versions prior to 11.2.202.336 on Linux, update to version 11.2.202.336 or later.

**Name of the Vulnerable Software and Affected Versions** Apache Roller versions prior to 5.0.2 **Description** The issue allows remote attackers to execute arbitrary OGNL expressions via certain parameters, such as the pageTitle parameter in the !getPageTitle sub-URL to roller-ui/login.rol. This is possible due to certain getText methods in the ActionSupport controller. **Recommendations** For Apache Roller versions prior to 5.0.2, update to version 5.0.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the roller-ui/login.rol URL and its subclasses, such as UIAction, to minimize the risk of exploitation. Avoid using the pageTitle parameter in the !getPageTitle sub-URL until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Mutiny versions prior to 5.0-1.11 **Description** The issue allows remote authenticated users to upload and execute arbitrary programs, read arbitrary files, or cause a denial of service via multiple directory traversal vulnerabilities in the EditDocument servlet. This can be achieved through various parameters in different operations, including the `uploadPath` parameter in an UPLOAD operation, the `paths[]` parameter in DELETE, CUT, or COPY operations, or the `newPath` parameter in CUT or COPY operations. **Recommendations** For Mutiny versions prior to 5.0-1.11, update to version 5.0-1.11 or later to resolve the issue. As a temporary workaround, consider restricting access to the EditDocument servlet or limiting the allowed operations to prevent potential exploitation. Additionally, restrict the use of the `uploadPath`, `paths[]`, and `newPath` parameters in the affected operations until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Microsoft Internet Explorer versions 6 through 8 **Description** The issue is related to a use-after-free vulnerability in the CDwnBindInfo function of the mshtml.dll library in Internet Explorer. This vulnerability allows a remote attacker to execute arbitrary JavaScript code by sending a specially crafted HTML file. The vulnerability may corrupt memory, enabling an attacker to execute arbitrary code in the context of the current user. It has been exploited in the wild, with reported incidents of remote code execution, including a watering hole attack on the Council on Foreign Relations website in 2012. **Recommendations** For Microsoft Internet Explorer versions 6 through 8, consider disabling the CDwnBindInfo object as a temporary workaround until a patch is available. Restrict access to potentially vulnerable web sites to minimize the risk of exploitation. Avoid using Internet Explorer for sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Novell File Reporter version 1.0.2 **Description** A directory traversal issue exists, allowing remote attackers to upload and execute files. This is achieved by sending a request with a `..` (dot dot) in a `FILE` element of an `FSFUI` record, specifically via a "130 /FSF/CMD" request. **Recommendations** For Novell File Reporter version 1.0.2, consider restricting access to the NFRAgent.exe to minimize the risk of exploitation until a patch is available. Avoid using the `FILE` element in `FSFUI` records with dot dot (`..`) notation in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Novell File Reporter version 1.0.2 **Description** The issue allows remote attackers to read arbitrary files via a "/FSF/CMD" request with a .. (dot dot) in a `FILE` element of an FSFUI record. This is a directory traversal vulnerability in NFRAgent.exe. **Recommendations** For Novell File Reporter version 1.0.2, consider restricting access to the NFRAgent.exe to minimize the risk of exploitation. Avoid using the `FILE` element in the FSFUI record with a .. (dot dot) until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Novell File Reporter version 1.0.2 **Description** The issue allows remote attackers to read arbitrary files due to an absolute path traversal vulnerability in NFRAgent.exe. This can be exploited via a /FSF/CMD request with a full pathname in a PATH element of an SRS record. **Recommendations** For Novell File Reporter version 1.0.2, consider restricting access to the NFRAgent.exe until a patch is available. Avoid using the full pathname in the PATH element of an SRS record in the /FSF/CMD request to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Novell File Reporter version 1.0.2 **Description** A heap-based buffer overflow issue exists, allowing remote attackers to execute arbitrary code by sending a large number of VOL elements in an SRS record. **Recommendations** For Novell File Reporter version 1.0.2, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Novell ZENworks Asset Management (ZAM) version 7.5 **Description** The issue concerns the rtrlet web application in the Web Console, where a hard-coded username and password are used for certain operations. Specifically, the `GetFile Password` and `GetConfigInfo Password` operations utilize the hard-coded credentials, allowing remote attackers to obtain sensitive information. This can be achieved by crafting a request for the `HandleMaintenanceCalls` function. **Recommendations** For Novell ZENworks Asset Management (ZAM) version 7.5, consider changing the hard-coded username and password for the `GetFile Password` and `GetConfigInfo Password` operations to prevent unauthorized access. As a temporary workaround, restrict access to the `HandleMaintenanceCalls` function until a more secure solution is implemented.