Raffaele Sabato

**Nome do software vulnerável e versões afetadas** Sistema de Registro de Casamento Online, versão 1.0 **Descrição** O problema diz respeito a uma vulnerabilidade de injeção SQL baseada em tempo no parâmetro POST `searchdata` da solicitação “user/search.php”. Essa vulnerabilidade permite uma possível exploração. Não há informações disponíveis sobre o número estimado de dispositivos potencialmente afetados em todo o mundo ou sobre incidentes reais em que essa vulnerabilidade tenha sido explorada. **Recomendações** Para o Sistema de Registro de Casamento Online versão 1.0, considere restringir o acesso ao parâmetro `searchdata` na solicitação “user/search.php” até que uma correção esteja disponível. Como solução temporária, evite usar o parâmetro `searchdata` no endpoint da API afetado até que o problema seja resolvido. No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.

**Name of the Vulnerable Software and Affected Versions** Fastweb FASTgate version 0.00.47 **Description** The issue allows for CSRF attacks, which can lead to significant impacts such as changing Wi-Fi passwords and activating Guest Wi-Fi. **Recommendations** For Fastweb FASTgate version 0.00.47, update to a newer version that contains a fix for this issue, as using an updated version should mitigate the risk of CSRF attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: DODOCOOL DC38 3-in-1 N300 Mini Wireless Range Extend RTN2-AW.GD.R3465.1.20161103 Description: A Cross-site request forgery (CSRF) issue allows remote attackers to hijack user authentication for requests that modify settings, potentially leading to changes in user credentials, Wi-Fi passwords, and other settings. Recommendations: For DODOCOOL DC38 3-in-1 N300 Mini Wireless Range Extend RTN2-AW.GD.R3465.1.20161103, as a temporary workaround, consider restricting access to the device's settings page to minimize the risk of exploitation. Avoid using the device until a patch or fix is available. At the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: MASTER IPCAMERA01 version 3.3.4.2103 Description: The issue allows for unauthenticated configuration changes. This is demonstrated by the ability to modify the port number of the web server. Recommendations: For MASTER IPCAMERA01 version 3.3.4.2103, consider restricting access to the web server configuration to prevent unauthorized changes until a fix is available.

Name of the Vulnerable Software and Affected Versions: MASTER IPCAMERA01 version 3.3.4.2103 Description: The issue allows remote attackers to obtain sensitive information via a crafted HTTP request. This can include accessing the `username`, `password`, and configuration settings. Recommendations: For version 3.3.4.2103, consider restricting access to the device until a patch is available. As a temporary workaround, avoid using default or weak passwords for the `username` and `password` fields. Additionally, limit access to configuration settings to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MASTER IPCAMERA01 version 3.3.4.2103 **Description** The issue is related to unauthenticated configuration download and upload in the MASTER IPCAMERA01 device. This can be exploited through the `restore.cgi` endpoint, allowing a remote attacker to impact the confidentiality, integrity, and availability of protected information. **Recommendations** For MASTER IPCAMERA01 version 3.3.4.2103, as a temporary workaround, consider restricting access to the `restore.cgi` endpoint until a patch is available. Additionally, limit configuration downloads and uploads to authorized personnel only. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MASTER IPCAMERA01 version 3.3.4.2103 **Description** The issue is related to the use of hardcoded credentials in the device's software. Specifically, the root account has a hardcoded password of `cat1029`. This could allow a remote attacker to gain access to the device with root privileges. **Recommendations** For MASTER IPCAMERA01 version 3.3.4.2103, consider changing the root account password to a unique and strong password as soon as possible to mitigate the risk of exploitation. As a temporary workaround, restrict access to the device to minimize the risk of unauthorized access until a more permanent solution is available.