Błażej Adamczyk

**Name of the Vulnerable Software and Affected Versions** CTFd versions 3.7.0 through 3.7.4 **Description** A flaw in logic implementation in CTFd allows an authenticated user to reset their team assignment and join another team while a competition is ongoing. This issue impacts releases from 3.7.0 up to 3.7.4. The problem was addressed in the 3.7.5 release. **Recommendations** For versions 3.7.0 through 3.7.4, update to version 3.7.5 to resolve the issue. As a temporary workaround, consider restricting team changes during ongoing competitions until the update to version 3.7.5 is applied.

**Name of the Vulnerable Software and Affected Versions** CTFd versions prior to 3.7.5 **Description** The issue concerns tokens used for account activation and password resetting in CTFd, which can be used interchangeably for these operations. When used, they are sent to the server as a GET parameter and are not single use. This means that during the token expiration time, an on-path attacker might reuse such a token to change a user's password and take over the account. Moreover, the tokens also include the user's email encoded in base64. **Recommendations** For versions prior to 3.7.5, update to version 3.7.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the account activation and password resetting features until the update is applied. Additionally, users should be cautious when using these features and monitor their account activity for any suspicious behavior.

**Name of the Vulnerable Software and Affected Versions** D-Link DWR-116 versions 1.06 and earlier D-Link DIR-140L versions 1.02 and earlier D-Link DIR-640L versions 1.02 and earlier D-Link DWR-512 versions 2.02 and earlier D-Link DWR-712 versions 2.02 and earlier D-Link DWR-912 versions 2.02 and earlier D-Link DWR-921 versions 2.02 and earlier D-Link DWR-111 versions 1.01 and earlier **Description** The issue is related to a directory traversal vulnerability in the web interface of D-Link devices. This vulnerability allows remote attackers to read arbitrary files via a specially crafted HTTP request, such as by including `/..` or `//` after "GET /uir". The vulnerability exists due to insufficient path checking. **Recommendations** For D-Link DWR-116 versions 1.06 and earlier, update to a version later than 1.06. For D-Link DIR-140L versions 1.02 and earlier, update to a version later than 1.02. For D-Link DIR-640L versions 1.02 and earlier, update to a version later than 1.02. For D-Link DWR-512 versions 2.02 and earlier, update to a version later than 2.02. For D-Link DWR-712 versions 2.02 and earlier, update to a version later than 2.02. For D-Link DWR-912 versions 2.02 and earlier, update to a version later than 2.02. For D-Link DWR-921 versions 2.02 and earlier, update to a version later than 2.02. For D-Link DWR-111 versions 1.01 and earlier, update to a version later than 1.01. As a temporary workaround, consider restricting access to the web interface until a patch is available.

**Name of the Vulnerable Software and Affected Versions** D-Link DWR-116 versions 1.06 and earlier D-Link DWR-512 versions 2.02 and earlier D-Link DWR-712 versions 2.02 and earlier D-Link DWR-912 versions 2.02 and earlier D-Link DWR-921 versions 2.02 and earlier D-Link DWR-111 versions 1.01 and earlier **Description** The issue is related to insufficient neutralization of special elements used in an OS command in the web interface of D-Link router firmware. This can be exploited by a remote attacker to execute arbitrary code by injecting a shell command into the `sip` parameter when requesting the "chkisg.htm" page. This allows for full control over the device internals. **Recommendations** For D-Link DWR-116 versions 1.06 and earlier, update to a version later than 1.06 to resolve the issue. For D-Link DWR-512 versions 2.02 and earlier, update to a version later than 2.02 to resolve the issue. For D-Link DWR-712 versions 2.02 and earlier, update to a version later than 2.02 to resolve the issue. For D-Link DWR-912 versions 2.02 and earlier, update to a version later than 2.02 to resolve the issue. For D-Link DWR-921 versions 2.02 and earlier, update to a version later than 2.02 to resolve the issue. For D-Link DWR-111 versions 1.01 and earlier, update to a version later than 1.01 to resolve the issue. As a temporary workaround, consider restricting access to the "chkisg.htm" page to minimize the risk of exploitation. Avoid using the `sip` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** D-Link DWR-116 versions 1.06 and earlier D-Link DIR-140L versions 1.02 and earlier D-Link DIR-640L versions 1.02 and earlier D-Link DWR-512 versions 2.02 and earlier D-Link DWR-712 versions 2.02 and earlier D-Link DWR-912 versions 2.02 and earlier D-Link DWR-921 versions 2.02 and earlier D-Link DWR-111 versions 1.01 and earlier **Description** The issue concerns the storage of administrative passwords in plaintext in the /tmp/csman/0 file. An attacker with directory traversal or Local File Inclusion (LFI) capabilities can easily gain full access to the router. This allows a remote attacker to potentially gain full control over the device. **Recommendations** For D-Link DWR-116 versions 1.06 and earlier, update the firmware to remove the plaintext password storage. For D-Link DIR-140L versions 1.02 and earlier, update the firmware to remove the plaintext password storage. For D-Link DIR-640L versions 1.02 and earlier, update the firmware to remove the plaintext password storage. For D-Link DWR-512 versions 2.02 and earlier, update the firmware to remove the plaintext password storage. For D-Link DWR-712 versions 2.02 and earlier, update the firmware to remove the plaintext password storage. For D-Link DWR-912 versions 2.02 and earlier, update the firmware to remove the plaintext password storage. For D-Link DWR-921 versions 2.02 and earlier, update the firmware to remove the plaintext password storage. For D-Link DWR-111 versions 1.01 and earlier, update the firmware to remove the plaintext password storage. As a temporary workaround, consider restricting access to the /tmp/csman/0 file to minimize the risk of exploitation.