Stephan Rickauer

**Name of the Vulnerable Software and Affected Versions** D-Link devices (affected versions not specified) TRENDnet devices (affected versions not specified) **Description** The issue is related to a remote code execution problem in the ping tool of multiple D-Link and TRENDnet devices. It is caused by weaknesses in the authentication procedure when handling the ping command, specifically via the `ping addr` parameter. This allows remote attackers to execute arbitrary code. **Recommendations** For D-Link devices, consider restricting access to the ping tool until a fix is available. For TRENDnet devices, avoid using the `ping addr` parameter in the ping command until the issue is resolved. As a temporary workaround, consider disabling the ping tool in both D-Link and TRENDnet devices to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** iTop versions 2.0, 1.2.1, 1.2, and earlier **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities in the search feature. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. Specifically, the `text` parameter to `pages/UI.php` and the `expression` parameter to `pages/run query.php` are vulnerable. **Recommendations** For versions 2.0, 1.2.1, 1.2, and earlier, consider disabling the search feature until a patch is available. Restrict access to the `pages/UI.php` and `pages/run query.php` endpoints to minimize the risk of exploitation. Avoid using the `text` and `expression` parameters in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** i-doit open versions 0.9.9-7 and earlier i-doit pro versions 1.0 and earlier i-doit pro version 1.0.2 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via unspecified vectors due to multiple cross-site scripting (XSS) vulnerabilities. This occurs when the 'sanitize user input' flag is not enabled. **Recommendations** For i-doit open versions 0.9.9-7 and earlier, enable the 'sanitize user input' flag to prevent XSS attacks. For i-doit pro versions 1.0 and earlier, enable the 'sanitize user input' flag to prevent XSS attacks. For i-doit pro version 1.0.2, enable the 'sanitize user input' flag to prevent XSS attacks.

**Name of the Vulnerable Software and Affected Versions** Drupal CurvyCorners module versions 6.x-1.x through 7.x-1.x **Description** A cross-site scripting (XSS) issue exists, allowing remote authenticated users with the `administer curvycorners` permission to inject arbitrary web script or HTML. **Recommendations** For versions 6.x-1.x through 7.x-1.x, consider disabling the CurvyCorners module until a patch is available to prevent exploitation.