Bhaskar Tejaswi

**Name of the Vulnerable Software and Affected Versions** Konker version 2.3.9 **Description** The issue is related to a Cross-Site Request Forgery (CSRF), which is a type of attack that tricks a user into performing unintended actions on a web application. **Recommendations** For Konker version 2.3.9, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** ResIOT IOT Platform + LoRaWAN Network Server versions through 4.1.1000114 **Description** A Cross Site Request Forgery (CSRF) issue allows attackers to add new admin users to the platform or cause other unspecified impacts. This can be achieved by exploiting the vulnerability in the affected software, potentially leading to unauthorized access and modifications. **Recommendations** For versions through 4.1.1000114, update to a version that includes a fix for this issue to prevent CSRF attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ResIOT IOT Platform + LoRaWAN Network Server versions through 4.1.1000114 **Description** The issue concerns multiple Cross Site Scripting (XSS) vulnerabilities. These vulnerabilities can be exploited via the form fields. **Recommendations** For versions through 4.1.1000114, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ResIOT IOT Platform + LoRaWAN Network Server versions through 4.1.1000114 **Description** The issue is related to a SQL injection vulnerability. It can be exploited via a crafted POST request to the "/ResiotQueryDBActive" API endpoint. This allows for potential unauthorized access or manipulation of data. **Recommendations** For versions through 4.1.1000114, update to a version that contains a fix for this issue, as using a crafted POST request to the "/ResiotQueryDBActive" endpoint can lead to SQL injection. As a temporary workaround, consider restricting access to the "/ResiotQueryDBActive" API endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Boodskap IoT Platform version 4.4.9-02 **Description** The issue is related to a cross-site scripting (XSS) vulnerability. Cross-site scripting is a type of security vulnerability that occurs when an attacker is able to inject malicious scripts into a website or application, which are then executed by the user's browser. This can allow the attacker to steal user data, take control of the user's session, or perform other malicious actions. **Recommendations** For Boodskap IoT Platform version 4.4.9-02, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Boodskap IoT Platform version 4.4.9-02 **Description** The issue allows attackers to escalate privileges via a crafted request sent to the "/api/user/upsert/<uuid>" API endpoint. **Recommendations** For Boodskap IoT Platform version 4.4.9-02, as a temporary workaround, consider restricting access to the "/api/user/upsert/<uuid>" API endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Boodskap IoT Platform version 4.4.9-02 **Description** The issue allows attackers to make unauthenticated API requests. **Recommendations** For Boodskap IoT Platform version 4.4.9-02, consider restricting access to API endpoints to prevent unauthenticated requests until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** MQTTRoute versions prior to 3.3 **Description** A Cross-Site Request Forgery (CSRF) issue allows attackers to create and remove dashboards. **Recommendations** For versions prior to 3.3, update to a version that includes a fix for this issue. As a temporary workaround, consider restricting access to dashboard creation and removal functionality until a patch is available.

**Name of the Vulnerable Software and Affected Versions** MQTTRoute versions 3.3 and below **Description** A cross-site scripting (XSS) issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `dashboard name` text field. **Recommendations** For versions 3.3 and below, consider disabling the dashboard name text field until a patch is available to prevent exploitation. Restrict access to the dashboard to minimize the risk of arbitrary script execution. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** DGIOT Lightweight industrial IoT version 4.5.4 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. XSS is a type of security vulnerability that allows an attacker to inject malicious scripts into a website, potentially leading to unauthorized access or control of user sessions. **Recommendations** For version 4.5.4, update to a newer version that contains a fix for this issue, as using outdated software can expose users to security risks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ThingsBoard IoT Platform versions prior to 3.3.4.1 **Description** The issue is related to Cross Site Scripting (XSS) in the ThingsBoard IoT Platform. It occurs when a crafted value is sent to the audit logs, potentially allowing malicious actions. **Recommendations** For versions prior to 3.3.4.1, update to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to the audit logs to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenRemote versions prior to 1.0.5 **Description** An issue in OpenRemote allows attackers to execute arbitrary code via a crafted Groovy rule. **Recommendations** For OpenRemote versions prior to 1.0.5, update to version 1.0.5 or later to resolve the issue.