Blazej Adamczyk

**Name of the Vulnerable Software and Affected Versions** CTFd versions 3.7.0 through 3.7.4 **Description** A flaw in logic implementation in CTFd allows an authenticated user to reset their team assignment and join another team while a competition is ongoing. This issue impacts releases from 3.7.0 up to 3.7.4. The problem was addressed in the 3.7.5 release. **Recommendations** For versions 3.7.0 through 3.7.4, update to version 3.7.5 to resolve the issue. As a temporary workaround, consider restricting team changes during ongoing competitions until the update to version 3.7.5 is applied.

**Name of the Vulnerable Software and Affected Versions** CTFd versions prior to 3.7.5 **Description** The issue concerns tokens used for account activation and password resetting in CTFd, which can be used interchangeably for these operations. When used, they are sent to the server as a GET parameter and are not single use. This means that during the token expiration time, an on-path attacker might reuse such a token to change a user's password and take over the account. Moreover, the tokens also include the user's email encoded in base64. **Recommendations** For versions prior to 3.7.5, update to version 3.7.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the account activation and password resetting features until the update is applied. Additionally, users should be cautious when using these features and monitor their account activity for any suspicious behavior.

**Name of the Vulnerable Software and Affected Versions** TOTOLINK A3002RU versions 2.0.0 and earlier TOTOLINK A702R versions 2.1.3 and earlier TOTOLINK N301RT versions 2.1.6 and earlier TOTOLINK N302R versions 3.4.0 and earlier TOTOLINK N300RT versions 3.4.0 and earlier TOTOLINK N200RE versions 4.0.0 and earlier TOTOLINK N150RT versions 3.4.0 and earlier TOTOLINK N100RE versions 3.4.0 and earlier **Description** The issue allows an attacker to bypass the CAPTCHA protection on certain TOTOLINK Realtek SDK based routers. This can be achieved by sending a POST request to the "boafrm/formLogin" URI with a specific `topicurl` parameter set to "setting/getSanvas", which retrieves the CAPTCHA text. Once valid credentials are obtained, the attacker can perform router actions via HTTP requests using Basic Authentication. **Recommendations** For TOTOLINK A3002RU versions 2.0.0 and earlier, update to a version later than 2.0.0. For TOTOLINK A702R versions 2.1.3 and earlier, update to a version later than 2.1.3. For TOTOLINK N301RT versions 2.1.6 and earlier, update to a version later than 2.1.6. For TOTOLINK N302R versions 3.4.0 and earlier, update to a version later than 3.4.0. For TOTOLINK N300RT versions 3.4.0 and earlier, update to a version later than 3.4.0. For TOTOLINK N200RE versions 4.0.0 and earlier, update to a version later than 4.0.0. For TOTOLINK N150RT versions 3.4.0 and earlier, update to a version later than 3.4.0. For TOTOLINK N100RE versions 3.4.0 and earlier, update to a version later than 3.4.0. As a temporary workaround, consider restricting access to the "boafrm/formLogin" URI and disabling Basic Authentication until a patch is available.

Name of the Vulnerable Software and Affected Versions: Asus asuswrt versions <= 3.0.0.4.380.7743 Description: The issue is related to improper administrator IP validation after login in the HTTPd server, allowing an unauthorized user to execute actions knowing the administrator session token by using a specific User-Agent string. Recommendations: For versions <= 3.0.0.4.380.7743, as a temporary workaround, consider restricting access to the HTTPd server until a patch is available. Avoid using the vulnerable HTTPd server with administrator privileges until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Asus asuswrt versions prior to 3.0.0.4.380.7743 Description: The HTTPd server in Asus asuswrt stores passwords in plaintext in nvram. Recommendations: For versions prior to 3.0.0.4.380.7743, update to a version that fixes the issue of storing passwords in plaintext.

Name of the Vulnerable Software and Affected Versions: Asus asuswrt versions prior to 3.0.0.4.380.7743 Description: The issue concerns highly predictable session tokens in the HTTPd server, which can be exploited to gain administrative access to the router. Recommendations: For versions prior to 3.0.0.4.380.7743, update to a version that contains a fix for this issue to prevent gaining administrative router access.

Name of the Vulnerable Software and Affected Versions: Asus asuswrt versions prior to 3.0.0.4.378 Description: The issue is related to multiple buffer overflow vulnerabilities in the HTTPd server. These vulnerabilities can be exploited to achieve remote code execution (RCE) with administrator rights when the administrator visits specific pages. Some end-of-life routers are affected as they have a vulnerable version as their latest update. Recommendations: For versions prior to 3.0.0.4.378, update to version 3.0.0.4.378 or later to resolve the issue.