Junqi

**Name of the Vulnerable Software and Affected Versions** Totolink WA300 version 5.2cu.7112 B20190227 **Description** A flaw exists in the `recvUpgradeNewFw` function within the `/cgi-bin/cstecgi.cgi` file that allows for os command injection. Remote exploitation is possible. The details of the issue have been publicly disclosed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DIR-820LW version 2.03 **Description** A flaw exists in the SSDP component’s `ssdpcgi main` function that could allow for operating system command injection. Successful exploitation may occur remotely. The exploit has been publicly disclosed. **Recommendations** Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider disabling the SSDP functionality until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Tenda AC21 version 16.03.08.16 **Description** A buffer overflow issue exists in the `formSetQosBand` function of the `/goform/SetNetControlList` file. Manipulation of arguments to this function can trigger the overflow, allowing for remote exploitation. The exploit is publicly available. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Tenda A18 version 15.13.07.13 **Description** A flaw exists in the Tenda A18 device that could allow for remote manipulation. Specifically, the `parse macfilter rule` function within the `/goform/setBlackRule` file is susceptible to a stack-based buffer overflow when the `deviceList` argument is improperly handled. This issue has been publicly disclosed. **Recommendations** Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the `parse macfilter rule` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** D-Link DIR-823X version 250416 **Description** A flaw exists in the D-Link DIR-823X 250416 device that allows for operating system command injection. This issue is related to the `sub 4211C8` function within the `/goform/set filtering` file. Successful exploitation can be performed remotely. The exploit for this issue has been publicly disclosed. The vulnerable component is the `/goform/set filtering` file and the `sub 4211C8` function. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sangfor Operation and Maintenance Management System versions up to 3.0.8 **Description** A flaw exists in Sangfor Operation and Maintenance Management System that allows for remote operating system command injection. This issue stems from the manipulation of the `filename` argument within the `uploadCN` function of the `VersionController.java` file. The vulnerability can be triggered remotely. Reports indicate increased targeting of systems affected by this issue, and a public exploit is available. The vendor was notified but did not respond. **Recommendations** Versions up to 3.0.8 should be updated to a newer, fixed version when available. As a temporary workaround, consider restricting access to the `uploadCN` function within the `VersionController.java` file.