Alter

Name of the Vulnerable Software and Affected Versions: TOTOLINK T10 version 4.1.8cu.5241 B20210927 Description: A vulnerability exists in TOTOLINK T10 version 4.1.8cu.5241 B20210927 related to improper authentication. The issue is located in the `/formLoginAuth.htm` file and involves the manipulation of the `authCode` argument with the input `1`. The attack can be initiated remotely. The exploit has been publicly disclosed. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DI-8100 version 16.07 **Description** A critical issue affects the `upgrade filter asp` function of the `upgrade filter.asp` file, allowing for command injection through the manipulation of the `path` argument. This can be exploited remotely. The issue is related to inadequate data sanitization on the management level, enabling an attacker to execute arbitrary commands. **Recommendations** As a temporary workaround, consider disabling the `upgrade filter asp` function until a patch is available. Restrict access to the `upgrade filter.asp` file to minimize the risk of exploitation. Avoid using the `path` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DI-8100 version 16.07 **Description** A critical issue has been found in the function `msp info htm` of the file `msp info.htm`, related to inadequate data sanitization on the management level when processing the `cmd` parameter. This can lead to command injection, allowing a remote attacker to execute arbitrary commands. **Recommendations** For D-Link DI-8100 version 16.07, as a temporary workaround, consider disabling the `msp info htm` function until a patch is available. Restrict access to the `msp info.htm` file to minimize the risk of exploitation. Avoid using the `cmd` argument in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.