Silent Dream

**Name of the Vulnerable Software and Affected Versions** Core FTP versions prior to 2.2 build 1769 **Description** The issue allows remote FTP servers to execute arbitrary code or cause a denial of service via a long directory name in certain commands, including DELE, LIST, or VIEW commands. **Recommendations** For versions prior to 2.2 build 1769, update to version 2.2 build 1769 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** HomeSeer HS2 version 2.5.0.20 **Description** A directory traversal issue exists in the web interface, allowing remote attackers to access arbitrary files. **Recommendations** For HomeSeer HS2 version 2.5.0.20, update to a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** HomeSeer HS2 version 2.5.0.20 **Description** A cross-site scripting (XSS) issue exists in the web interface, allowing remote attackers to inject arbitrary web script or HTML via a crafted URI request. **Recommendations** For HomeSeer HS2 version 2.5.0.20, update to a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** HomeSeer HS2 version 2.5.0.20 **Description** A cross-site request forgery issue exists in the web interface of HomeSeer HS2, specifically in the /ctrl endpoint, allowing remote attackers to hijack admin authentication for requests that execute arbitrary programs. **Recommendations** For HomeSeer HS2 version 2.5.0.20, consider disabling access to the /ctrl endpoint in the web interface until a patch is available to prevent exploitation of this issue.

**Name of the Vulnerable Software and Affected Versions** GoAhead Webserver version 2.18 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. The affected API endpoints include: "goform/AddGroup" related to `addgroup.asp`, "goform/AddAccessLimit" related to `addlimit.asp`, and "goform/AddUser" related to `adduser.asp`. The vulnerable parameters are: the `group` parameter to "goform/AddGroup", the `url` parameter to "goform/AddAccessLimit", the `user` (also known as User ID) parameter to "goform/AddUser", and the `group` parameter to "goform/AddUser". **Recommendations** For GoAhead Webserver version 2.18, as a temporary workaround, consider disabling access to the vulnerable API endpoints "goform/AddGroup", "goform/AddAccessLimit", and "goform/AddUser" until a patch is available. Restrict the use of the vulnerable parameters `group`, `url`, `user`, to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.