Tom Neaves

**Name of the Vulnerable Software and Affected Versions** Shadow version 4.13 **Description** The issue is related to insufficient neutralization of special elements in a request, which can be exploited to impact data integrity. In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program `chfn` (change finger). Although direct exploitation is not possible due to block lists, an adversary can misrepresent the `/etc/passwd` file when viewed. By using `r` manipulations and Unicode characters to work around blocking of the `:` character, it is possible to give the impression that a new user has been added. This could lead to a social-engineered denial of service, where a system administrator takes the system offline after being convinced that a rogue user account exists. **Recommendations** For Shadow version 4.13, consider disabling the `chfn` function until a patch is available to prevent potential manipulation of the `/etc/passwd` file. Restrict access to the `chfn` program to minimize the risk of exploitation. Avoid using the `chfn` program to modify user accounts until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Netgear DG632 version 3.4.0 ap **Description** The issue affects the administrative web interface, allowing remote attackers to cause a denial of service, resulting in a web outage. This can be achieved via an HTTP POST request to the "cgi-bin/firmwarecfg" endpoint. **Recommendations** For Netgear DG632 version 3.4.0 ap, consider restricting access to the "cgi-bin/firmwarecfg" endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Netgear DG632 version 3.4.0 ap **Description** The issue allows remote attackers to bypass authentication on the administrative web interface. This can be achieved by making a direct request to several endpoints, including "gateway/commands/saveconfig.html", "stattbl.htm", "modemmenu.htm", "onload.htm", "form.css", "utility.js", and possibly "indextop.htm" in the html/ directory. **Recommendations** For Netgear DG632 version 3.4.0 ap, as a temporary workaround, consider restricting access to the mentioned endpoints to minimize the risk of exploitation. Avoid using the administrative web interface until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Netgear DG632 version 3.4.0 ap **Description** The issue allows remote attackers to list arbitrary directories via a .. (dot dot) in the `nextpage` parameter in the cgi-bin/webcm administrative web interface. **Recommendations** For Netgear DG632 version 3.4.0 ap, consider restricting access to the cgi-bin/webcm administrative web interface until a fix is available, and avoid using the `nextpage` parameter with untrusted input.