Br0X

**Name of the Vulnerable Software and Affected Versions** CTFd versions 3.7.0 through 3.7.4 **Description** A flaw in logic implementation in CTFd allows an authenticated user to reset their team assignment and join another team while a competition is ongoing. This issue impacts releases from 3.7.0 up to 3.7.4. The problem was addressed in the 3.7.5 release. **Recommendations** For versions 3.7.0 through 3.7.4, update to version 3.7.5 to resolve the issue. As a temporary workaround, consider restricting team changes during ongoing competitions until the update to version 3.7.5 is applied.

**Name of the Vulnerable Software and Affected Versions** CTFd versions prior to 3.7.5 **Description** The issue concerns tokens used for account activation and password resetting in CTFd, which can be used interchangeably for these operations. When used, they are sent to the server as a GET parameter and are not single use. This means that during the token expiration time, an on-path attacker might reuse such a token to change a user's password and take over the account. Moreover, the tokens also include the user's email encoded in base64. **Recommendations** For versions prior to 3.7.5, update to version 3.7.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the account activation and password resetting features until the update is applied. Additionally, users should be cautious when using these features and monitor their account activity for any suspicious behavior.

**Name of the Vulnerable Software and Affected Versions** TOTOLINK A3002RU versions 2.0.0 and earlier TOTOLINK A702R versions 2.1.3 and earlier TOTOLINK N301RT versions 2.1.6 and earlier TOTOLINK N302R versions 3.4.0 and earlier TOTOLINK N300RT versions 3.4.0 and earlier TOTOLINK N200RE versions 4.0.0 and earlier TOTOLINK N150RT versions 3.4.0 and earlier TOTOLINK N100RE versions 3.4.0 and earlier Rutek RTK 11N AP versions prior to 2019-12-12 Sapido GR297n versions prior to 2019-12-12 CIK TELECOM MESH ROUTER versions prior to 2019-12-12 KCTVJEJU Wireless AP versions prior to 2019-12-12 Fibergate FGN-R2 versions prior to 2019-12-12 Hi-Wifi MAX-C300N versions prior to 2019-12-12 HCN MAX-C300N versions prior to 2019-12-12 T-broad GN-866ac versions prior to 2019-12-12 Coship EMTA AP versions prior to 2019-12-12 IO-Data WN-AC1167R versions prior to 2019-12-12 **Description** The router administration interface stores cleartext administrative passwords in flash memory and in a file. This issue affects various router models. **Recommendations** For TOTOLINK A3002RU versions 2.0.0 and earlier, update the firmware to remove cleartext administrative passwords from flash memory and files. For TOTOLINK A702R versions 2.1.3 and earlier, update the firmware to remove cleartext administrative passwords from flash memory and files. For TOTOLINK N301RT versions 2.1.6 and earlier, update the firmware to remove cleartext administrative passwords from flash memory and files. For TOTOLINK N302R versions 3.4.0 and earlier, update the firmware to remove cleartext administrative passwords from flash memory and files. For TOTOLINK N300RT versions 3.4.0 and earlier, update the firmware to remove cleartext administrative passwords from flash memory and files. For TOTOLINK N200RE versions 4.0.0 and earlier, update the firmware to remove cleartext administrative passwords from flash memory and files. For TOTOLINK N150RT versions 3.4.0 and earlier, update the firmware to remove cleartext administrative passwords from flash memory and files. For TOTOLINK N100RE versions 3.4.0 and earlier, update the firmware to remove cleartext administrative passwords from flash memory and files. For Rutek RTK 11N AP versions prior to 2019-12-12, update the firmware to a version released after 2019-12-12. For Sapido GR297n versions prior to 2019-12-12, update the firmware to a version released after 2019-12-12. For CIK TELECOM MESH ROUTER versions prior to 2019-12-12, update the firmware to a version released after 2019-12-12. For KCTVJEJU Wireless AP versions prior to 2019-12-12, update the firmware to a version released after 2019-12-12. For Fibergate FGN-R2 versions prior to 2019-12-12, update the firmware to a version released after 2019-12-12. For Hi-Wifi MAX-C300N versions prior to 2019-12-12, update the firmware to a version released after 2019-12-12. For HCN MAX-C300N versions prior to 2019-12-12, update the firmware to a version released after 2019-12-12. For T-broad GN-866ac versions prior to 2019-12-12, update the firmware to a version released after 2019-12-12. For Coship EMTA AP versions prior to 2019-12-12, update the firmware to a version released after 2019-12-12. For IO-Data WN-AC1167R versions prior to 2019-12-12, update the firmware to a version released after 2019-12-12.

**Name of the Vulnerable Software and Affected Versions** TOTOLINK A3002RU versions 2.0.0 and earlier TOTOLINK A702R versions 2.1.3 and earlier TOTOLINK N301RT versions 2.1.6 and earlier TOTOLINK N302R versions 3.4.0 and earlier TOTOLINK N300RT versions 3.4.0 and earlier TOTOLINK N200RE versions 4.0.0 and earlier TOTOLINK N150RT versions 3.4.0 and earlier TOTOLINK N100RE versions 3.4.0 and earlier Rutek RTK 11N AP versions prior to 2019-12-12 Sapido GR297n versions prior to 2019-12-12 CIK TELECOM MESH ROUTER versions prior to 2019-12-12 KCTVJEJU Wireless AP versions prior to 2019-12-12 Fibergate FGN-R2 versions prior to 2019-12-12 Hi-Wifi MAX-C300N versions prior to 2019-12-12 HCN MAX-C300N versions prior to 2019-12-12 T-broad GN-866ac versions prior to 2019-12-12 Coship EMTA AP versions prior to 2019-12-12 IO-Data WN-AC1167R versions prior to 2019-12-12 **Description** The router administration interface, which includes Realtek APMIB 0.11f for Boa 0.94.14rc21, allows remote attackers to retrieve the configuration, including sensitive data such as usernames and passwords. **Recommendations** For TOTOLINK A3002RU versions 2.0.0 and earlier, update to a version later than 2.0.0. For TOTOLINK A702R versions 2.1.3 and earlier, update to a version later than 2.1.3. For TOTOLINK N301RT versions 2.1.6 and earlier, update to a version later than 2.1.6. For TOTOLINK N302R versions 3.4.0 and earlier, update to a version later than 3.4.0. For TOTOLINK N300RT versions 3.4.0 and earlier, update to a version later than 3.4.0. For TOTOLINK N200RE versions 4.0.0 and earlier, update to a version later than 4.0.0. For TOTOLINK N150RT versions 3.4.0 and earlier, update to a version later than 3.4.0. For TOTOLINK N100RE versions 3.4.0 and earlier, update to a version later than 3.4.0. For Rutek RTK 11N AP versions prior to 2019-12-12, update to a version later than 2019-12-12. For Sapido GR297n versions prior to 2019-12-12, update to a version later than 2019-12-12. For CIK TELECOM MESH ROUTER versions prior to 2019-12-12, update to a version later than 2019-12-12. For KCTVJEJU Wireless AP versions prior to 2019-12-12, update to a version later than 2019-12-12. For Fibergate FGN-R2 versions prior to 2019-12-12, update to a version later than 2019-12-12. For Hi-Wifi MAX-C300N versions prior to 2019-12-12, update to a version later than 2019-12-12. For HCN MAX-C300N versions prior to 2019-12-12, update to a version later than 2019-12-12. For T-broad GN-866ac versions prior to 2019-12-12, update to a version later than 2019-12-12. For Coship EMTA AP versions prior to 2019-12-12, update to a version later than 2019-12-12. For IO-Data WN-AC1167R versions prior to 2019-12-12, update to a version later than 2019-12-12.

**Name of the Vulnerable Software and Affected Versions** TOTOLINK A3002RU versions 2.0.0 and earlier TOTOLINK A702R versions 2.1.3 and earlier TOTOLINK N301RT versions 2.1.6 and earlier TOTOLINK N302R versions 3.4.0 and earlier TOTOLINK N300RT versions 3.4.0 and earlier TOTOLINK N200RE versions 4.0.0 and earlier TOTOLINK N150RT versions 3.4.0 and earlier TOTOLINK N100RE versions 3.4.0 and earlier TOTOLINK N302RE version 2.0.2 **Description** An authenticated attacker may execute arbitrary OS commands via the `sysCmd` parameter to the "boafrm/formSysCmd" URI. This allows for full control over the device's internals. **Recommendations** For TOTOLINK A3002RU versions 2.0.0 and earlier, consider disabling access to the "boafrm/formSysCmd" URI until a patch is available. For TOTOLINK A702R versions 2.1.3 and earlier, restrict the use of the `sysCmd` parameter in the "boafrm/formSysCmd" URI to minimize the risk of exploitation. For TOTOLINK N301RT versions 2.1.6 and earlier, avoid using the `sysCmd` parameter in the affected API endpoint until the issue is resolved. For TOTOLINK N302R versions 3.4.0 and earlier, temporarily disable the `sysCmd` functionality to prevent exploitation. For TOTOLINK N300RT versions 3.4.0 and earlier, restrict access to the vulnerable module to minimize the risk of exploitation. For TOTOLINK N200RE versions 4.0.0 and earlier, consider disabling the `sysCmd` parameter in the "boafrm/formSysCmd" URI as a temporary workaround. For TOTOLINK N150RT versions 3.4.0 and earlier, avoid using the vulnerable API endpoint until a patch is available. For TOTOLINK N100RE versions 3.4.0 and earlier, restrict the use of the `sysCmd` parameter to prevent exploitation. For TOTOLINK N302RE version 2.0.2, consider disabling access to the "boafrm/formSysCmd" URI until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOLINK A3002RU versions 2.0.0 and earlier TOTOLINK A702R versions 2.1.3 and earlier TOTOLINK N301RT versions 2.1.6 and earlier TOTOLINK N302R versions 3.4.0 and earlier TOTOLINK N300RT versions 3.4.0 and earlier TOTOLINK N200RE versions 4.0.0 and earlier TOTOLINK N150RT versions 3.4.0 and earlier TOTOLINK N100RE versions 3.4.0 and earlier **Description** The issue allows an attacker to bypass the CAPTCHA protection on certain TOTOLINK Realtek SDK based routers. This can be achieved by sending a POST request to the "boafrm/formLogin" URI with a specific `topicurl` parameter set to "setting/getSanvas", which retrieves the CAPTCHA text. Once valid credentials are obtained, the attacker can perform router actions via HTTP requests using Basic Authentication. **Recommendations** For TOTOLINK A3002RU versions 2.0.0 and earlier, update to a version later than 2.0.0. For TOTOLINK A702R versions 2.1.3 and earlier, update to a version later than 2.1.3. For TOTOLINK N301RT versions 2.1.6 and earlier, update to a version later than 2.1.6. For TOTOLINK N302R versions 3.4.0 and earlier, update to a version later than 3.4.0. For TOTOLINK N300RT versions 3.4.0 and earlier, update to a version later than 3.4.0. For TOTOLINK N200RE versions 4.0.0 and earlier, update to a version later than 4.0.0. For TOTOLINK N150RT versions 3.4.0 and earlier, update to a version later than 3.4.0. For TOTOLINK N100RE versions 3.4.0 and earlier, update to a version later than 3.4.0. As a temporary workaround, consider restricting access to the "boafrm/formLogin" URI and disabling Basic Authentication until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Drupal Views Dynamic Fields module versions prior to 7.x-1.0-alpha4 **Description** The issue is related to insufficient deserialization mechanisms in the handlers/views handler filter dynamic fields.inc component of the Views Dynamic Fields module for the Drupal CMS. This can be exploited by a remote attacker to potentially execute arbitrary code. The vulnerability involves insecure unserialize calls, which can lead to PHP object injection. This might allow for file deletion and possibly code execution, involving objects such as `field names` and `Archive Tar`. **Recommendations** For versions prior to 7.x-1.0-alpha4, update to a version that includes a fix for the insecure deserialization issue in the handlers/views handler filter dynamic fields.inc component. As a temporary workaround, consider restricting access to the `handlers/views handler filter dynamic fields.inc` file to minimize the risk of exploitation. Avoid using the `field names` object and the `Archive Tar` object in the affected module until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** D-Link DWR-116 versions 1.06 and earlier D-Link DIR-140L versions 1.02 and earlier D-Link DIR-640L versions 1.02 and earlier D-Link DWR-512 versions 2.02 and earlier D-Link DWR-712 versions 2.02 and earlier D-Link DWR-912 versions 2.02 and earlier D-Link DWR-921 versions 2.02 and earlier D-Link DWR-111 versions 1.01 and earlier **Description** The issue concerns the storage of administrative passwords in plaintext in the /tmp/csman/0 file. An attacker with directory traversal or Local File Inclusion (LFI) capabilities can easily gain full access to the router. This allows a remote attacker to potentially gain full control over the device. **Recommendations** For D-Link DWR-116 versions 1.06 and earlier, update the firmware to remove the plaintext password storage. For D-Link DIR-140L versions 1.02 and earlier, update the firmware to remove the plaintext password storage. For D-Link DIR-640L versions 1.02 and earlier, update the firmware to remove the plaintext password storage. For D-Link DWR-512 versions 2.02 and earlier, update the firmware to remove the plaintext password storage. For D-Link DWR-712 versions 2.02 and earlier, update the firmware to remove the plaintext password storage. For D-Link DWR-912 versions 2.02 and earlier, update the firmware to remove the plaintext password storage. For D-Link DWR-921 versions 2.02 and earlier, update the firmware to remove the plaintext password storage. For D-Link DWR-111 versions 1.01 and earlier, update the firmware to remove the plaintext password storage. As a temporary workaround, consider restricting access to the /tmp/csman/0 file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** D-Link DWR-116 versions 1.06 and earlier D-Link DWR-512 versions 2.02 and earlier D-Link DWR-712 versions 2.02 and earlier D-Link DWR-912 versions 2.02 and earlier D-Link DWR-921 versions 2.02 and earlier D-Link DWR-111 versions 1.01 and earlier **Description** The issue is related to insufficient neutralization of special elements used in an OS command in the web interface of D-Link router firmware. This can be exploited by a remote attacker to execute arbitrary code by injecting a shell command into the `sip` parameter when requesting the "chkisg.htm" page. This allows for full control over the device internals. **Recommendations** For D-Link DWR-116 versions 1.06 and earlier, update to a version later than 1.06 to resolve the issue. For D-Link DWR-512 versions 2.02 and earlier, update to a version later than 2.02 to resolve the issue. For D-Link DWR-712 versions 2.02 and earlier, update to a version later than 2.02 to resolve the issue. For D-Link DWR-912 versions 2.02 and earlier, update to a version later than 2.02 to resolve the issue. For D-Link DWR-921 versions 2.02 and earlier, update to a version later than 2.02 to resolve the issue. For D-Link DWR-111 versions 1.01 and earlier, update to a version later than 1.01 to resolve the issue. As a temporary workaround, consider restricting access to the "chkisg.htm" page to minimize the risk of exploitation. Avoid using the `sip` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** D-Link DWR-116 versions 1.06 and earlier D-Link DIR-140L versions 1.02 and earlier D-Link DIR-640L versions 1.02 and earlier D-Link DWR-512 versions 2.02 and earlier D-Link DWR-712 versions 2.02 and earlier D-Link DWR-912 versions 2.02 and earlier D-Link DWR-921 versions 2.02 and earlier D-Link DWR-111 versions 1.01 and earlier **Description** The issue is related to a directory traversal vulnerability in the web interface of D-Link devices. This vulnerability allows remote attackers to read arbitrary files via a specially crafted HTTP request, such as by including `/..` or `//` after "GET /uir". The vulnerability exists due to insufficient path checking. **Recommendations** For D-Link DWR-116 versions 1.06 and earlier, update to a version later than 1.06. For D-Link DIR-140L versions 1.02 and earlier, update to a version later than 1.02. For D-Link DIR-640L versions 1.02 and earlier, update to a version later than 1.02. For D-Link DWR-512 versions 2.02 and earlier, update to a version later than 2.02. For D-Link DWR-712 versions 2.02 and earlier, update to a version later than 2.02. For D-Link DWR-912 versions 2.02 and earlier, update to a version later than 2.02. For D-Link DWR-921 versions 2.02 and earlier, update to a version later than 2.02. For D-Link DWR-111 versions 1.01 and earlier, update to a version later than 1.01. As a temporary workaround, consider restricting access to the web interface until a patch is available.