Andrea Dubaldo

**Name of the Vulnerable Software and Affected Versions** Visual Tools DVR VX16 version 4.2.28 **Description** Visual Tools DVR VX16 version 4.2.28 has a local privilege escalation issue related to its Sudo configuration. An attacker can exploit unsafe Sudo settings by utilizing mount commands to bind a shell, which allows them to gain root access. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Visual Tools DVR VX16 version 4.2.28.0 **Description** An unauthenticated attacker can achieve remote command execution via shell metacharacters in the "cgi-bin/slogin/login.py" API endpoint, specifically in the `User-Agent` HTTP header. **Recommendations** For Visual Tools DVR VX16 version 4.2.28.0, consider restricting access to the "cgi-bin/slogin/login.py" API endpoint until a patch is available. As a temporary workaround, avoid using shell metacharacters in the `User-Agent` HTTP header to minimize the risk of exploitation.