Torsten Löbner

**Name of the Vulnerable Software and Affected Versions** ARP-GUARD version 4.0.0-5 **Description** A SQL injection issue allows unauthenticated remote attackers to execute arbitrary SQL commands. This is achieved via the `user id` parameter in a "/login/forgot1" POST request. **Recommendations** For ARP-GUARD version 4.0.0-5, avoid using the `user id` parameter in the "/login/forgot1" API endpoint until the issue is resolved. As a temporary workaround, consider restricting access to this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SECUDOS DOMOS versions prior to 5.6 **Description** The issue affects the Log module, allowing for cross-site scripting (XSS) attacks. **Recommendations** For versions prior to 5.6, update to version 5.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** SECUDOS DOMOS versions prior to 5.6 **Description** The issue concerns the Log module in SECUDOS DOMOS, which allows local file inclusion. **Recommendations** For versions prior to 5.6, update to version 5.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** eQ-3 AG Homematic CCU3 versions 3.43.15 and earlier **Description** The issue allows unauthenticated remote attackers to disclose password hashes of GUI users through the User.getUserPWD method. This can be exploited by attackers with access to the web interface. **Recommendations** For versions 3.43.15 and earlier, update to a version that fixes this issue to prevent unauthenticated password hash disclosure. As a temporary workaround, consider restricting access to the web interface to minimize the risk of exploitation.