Adam Simuntis

**Name of the Vulnerable Software and Affected Versions** Pega Platform versions 7.2 through 8.8.1 **Description** The issue is related to an XSS problem. **Recommendations** For Pega Platform versions 7.2 through 8.8.1, update to a version that includes a fix for this issue.

Name of the Vulnerable Software and Affected Versions: Grandstream HT801 versions prior to 1.0.29 Description: The issue is related to multiple buffer overflows in the limited configuration shell (/sbin/gs config) that allow remote authenticated users to execute arbitrary code as root via a crafted `manage if` setting. This bypasses the intended restrictions of the shell, allowing full control of the device. Default weak credentials can be used to authenticate. Recommendations: For versions prior to 1.0.29, update to version 1.0.29 or later to resolve the issue. As a temporary workaround, consider changing the default weak credentials to strong ones and restricting access to the `/sbin/gs config` shell until the update can be applied.

Name of the Vulnerable Software and Affected Versions: Grandstream HT801 Analog Telephone Adaptor versions prior to 1.0.29.8 Description: An issue was discovered in the Grandstream HT801 Analog Telephone Adaptor. From the limited configuration shell, it is possible to set the malicious `gdb debug server` variable. As a result, after a reboot, the device downloads and executes malicious scripts from an attacker-defined host. Recommendations: For versions prior to 1.0.29.8, update to version 1.0.29.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the configuration shell to minimize the risk of exploitation. Avoid using the `gdb debug server` variable in the configuration until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** D-Link DSL-3782 version EU v. 1.01 **Description** The issue concerns a buffer overflow in the diagnostics functionality of the affected device. This allows authenticated remote attackers to execute arbitrary code by sending a long `Addr` value to the `set Diagnostics Entry` function in an HTTP request. The vulnerability is related to the `/userfs/bin/tcapi` endpoint. **Recommendations** For D-Link DSL-3782 version EU v. 1.01, consider disabling the `set Diagnostics Entry` function as a temporary workaround until a patch is available. Restrict access to the `/userfs/bin/tcapi` endpoint to minimize the risk of exploitation. Avoid using long `Addr` values in HTTP requests to the affected function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** artmedic links5 version 5.0 **Description** The issue allows remote attackers to execute arbitrary PHP code by modifying the `id` parameter to reference a URL on a remote web server that contains the code. This is related to a remote file inclusion vulnerability in the index.php file. **Recommendations** For artmedic links5 version 5.0, consider restricting access to the `id` parameter in the index.php file to minimize the risk of exploitation. Avoid using the `id` parameter to reference external URLs until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.