Anna Breeva

Name of the Vulnerable Software and Affected Versions: Microsoft Exchange Server (affected versions not specified) Description: The software contains an issue with improper handling of additional special elements, potentially allowing an unauthorized attacker to perform spoofing over a network. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Waybox Enel X web management application (affected versions not specified) **Description** The Waybox Enel X web management application has an issue that allows execution of arbitrary requests on the internal database via the `/admin/dbstore.php` API endpoint. This could potentially lead to unauthorized access or manipulation of data. There is no information provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Waybox Enel X (affected versions not specified) **Description** The Waybox Enel X web management application has a flaw that allows execution of arbitrary requests on the internal database via the `/admin/versions.php` endpoint. This issue affects specific versions of Waybox. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Waybox Enel X web management application (affected versions not specified) **Description** The Waybox Enel X web management application has a flaw that allows users to execute arbitrary OS commands, providing administrator’s privileges over the Waybox system. This issue affects specific versions of WAYBOX-2023-001. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Waybox Enel X (affected versions not specified) **Description** The Waybox Enel X web management application contains a PHP-type juggling vulnerability that may allow a brute force process and under certain conditions bypass authentication. This weakness might let someone use improper input validation, potentially compromising the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: No specific software name or affected versions are mentioned in the provided descriptions. Description: The issue is related to a faulty implementation of the JWT-library, which can be exploited by an attacker with access to the private network or local access to the Ethernet-Interface to bypass password authentication to the web configuration interface. This allows the attacker to have full access as a user would have, although without developer or admin rights. If the JWT-library implementation is wrongly configured to accept "none"-algorithms, the server will pass insecure JWT, enabling a local, unauthenticated attacker to bypass the authentication mechanism. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Skoda Automotive cloud (affected versions not specified) **Description** The Skoda Automotive cloud contains a Broken Access Control issue, allowing remote attackers to obtain recent trip data, vehicle mileage, fuel consumption, average and maximum speed, and other information of Skoda Connect service users by specifying an arbitrary vehicle VIN number. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Skoda Automotive cloud (affected versions not specified) **Description** The issue allows attackers to obtain nicknames and other user identifiers of Skoda Connect service users by specifying an arbitrary vehicle VIN number, due to a Broken Access Control vulnerability in the Skoda Automotive cloud. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MIB3 infotainment (affected versions not specified) **Description** The Real-Time Streaming Protocol implementation in the MIB3 infotainment incorrectly handles requests to "/logs" URI, when the `id` parameter equals to zero. This issue allows an attacker connected to the in-vehicle Wi-Fi network to cause denial-of-service of the infotainment system, when certain preconditions are met. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.