Abdellah Benotsmane

**Name of the Vulnerable Software and Affected Versions** Waybox Enel X versions prior to the latest version **Description** Under certain conditions, through a request directed to the Waybox Enel X web management application, information like Waybox OS version or service configuration details could be obtained. The issue is of high severity and affects specific versions of the Waybox Enel X web management application. **Recommendations** Update to the latest version to mitigate the risk of information disclosure. As a temporary workaround, consider restricting access to the Waybox Enel X web management application until a patch is available. Avoid using the vulnerable web management application until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Enel X Waybox versions prior to the fixed version **Description** The issue is related to a lack of access control in the web management application, allowing system logs to be accessed. An attacker can obtain sensitive information, including Wi-Fi access point credentials, APN web address and credentials, IPSEC credentials, web interface access credentials for user and admin accounts, JuiceBox system components, C2G configuration details, internal IP addresses, and OTA firmware update configurations. All credentials are stored in logs in an unencrypted plaintext format. **Recommendations** For Enel X Waybox versions prior to the fixed version, refer to the remediation steps detailed in the security bulletin to address the issue. As a temporary workaround, consider restricting access to the web management application until a patch is available. Avoid using the web management application for sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Waybox Enel X Web management application (affected versions not specified) **Description** The issue concerns a denial-of-service condition in the Waybox Enel X Web management application, where a specific request could cause the system to reboot. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Waybox Enel X (affected versions not specified) **Description** The Waybox Enel X web management application contains a PHP-type juggling vulnerability that may allow a brute force process and under certain conditions bypass authentication. This weakness might let someone use improper input validation, potentially compromising the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Waybox Enel X (affected versions not specified) **Description** The Waybox Enel X web management API authentication could be bypassed, providing administrator’s privileges over the Waybox system. This issue affects specific versions of Waybox, but the exact versions are not specified. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Waybox (affected versions not specified) **Description** The Waybox Enel TCF Agent service could be used to gain administrator privileges over the Waybox system. This is a high-severity issue affecting multiple versions of Waybox. Users are advised to review the security bulletin for remediation steps. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Skoda vehicles (affected versions not specified) **Description** The issue allows an attacker to send a specific reset UDS request via the OBDII port of Skoda vehicles, potentially causing the vehicle engine to shut down and resulting in the denial of service of other vehicle components, even when the vehicle is moving at a high speed. It is noted that no safety-critical functions are affected. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.