Kaustubh

**Name of the Vulnerable Software and Affected Versions** Raisecom ISCOM HT803G-U, HT803G-W, HT803G-1GE, and HT803G GPON products with firmware version ISCOMHT803G-U 2.0.0 140521 R4.1.47.002 or below **Description** An authenticated shell command injection issue has been discovered. The `fmgpon loid` parameter is used in a system call inside the boa binary without user input validation, leading to authenticated code execution on the device. **Recommendations** For Raisecom ISCOM HT803G-U, HT803G-W, HT803G-1GE, and HT803G GPON products with firmware version ISCOMHT803G-U 2.0.0 140521 R4.1.47.002 or below, consider restricting access to the boa binary or implementing input validation for the `fmgpon loid` parameter as a temporary mitigation measure until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Systrome ISG-600C version 1.1-R2.1 TRUNK-20180914.bin Systrome ISG-600H version 1.1-R2.1 TRUNK-20180914.bin Systrome ISG-800W version 1.1-R2.1 TRUNK-20180914.bin **Description** The issue is related to a lack of CSRF token validation, which allows for Cross-Site Request Forgery (CSRF) attacks via the "/ui/?g=obj keywords add" and "/ui/?g=obj keywords addsave" API endpoints. This can result in Cross-Site Scripting (XSS) attacks. **Recommendations** For Systrome ISG-600C version 1.1-R2.1 TRUNK-20180914.bin, consider disabling access to the "/ui/?g=obj keywords add" and "/ui/?g=obj keywords addsave" endpoints until a patch is available. For Systrome ISG-600H version 1.1-R2.1 TRUNK-20180914.bin, consider disabling access to the "/ui/?g=obj keywords add" and "/ui/?g=obj keywords addsave" endpoints until a patch is available. For Systrome ISG-800W version 1.1-R2.1 TRUNK-20180914.bin, consider disabling access to the "/ui/?g=obj keywords add" and "/ui/?g=obj keywords addsave" endpoints until a patch is available.