C0Ss4Ck

**Name of the Vulnerable Software and Affected Versions** NVIDIA DOCA (affected versions not specified) **Description** NVIDIA DOCA contains an issue in the collectx-clxapidev Debian package that may allow a low-privileged actor to escalate privileges. A successful exploit of this issue could lead to privilege escalation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DrayTek Vigor 2960 version 1.5.1.3 DrayTek Vigor 3900 version 1.5.1.3 DrayTek Vigor 300B version 1.5.1.3 **Description** A Remote Command Injection issue exists in the mainfunction.cgi script of the DrayTek Vigor web interface due to inadequate data sanitization at the management level. This could allow a remote attacker to execute arbitrary code by sending a crafted HTTP message with a malformed QUERY STRING to the mainfunction.cgi endpoint. **Recommendations** For DrayTek Vigor 2960 version 1.5.1.3, consider disabling the mainfunction.cgi script until a patch is available. For DrayTek Vigor 3900 version 1.5.1.3, restrict access to the mainfunction.cgi endpoint to minimize the risk of exploitation. For DrayTek Vigor 300B version 1.5.1.3, avoid using the QUERY STRING parameter in the mainfunction.cgi endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** DrayTek Vigor 2960 versions 1.5.1.3 and earlier DrayTek Vigor 3900 versions 1.5.1.3 and earlier DrayTek Vigor 300B versions 1.5.1.3 and earlier **Description** The issue is related to a Format String vulnerability in the mainfunction.cgi file of the DrayTek Vigor web interface. This vulnerability can be exploited by a remote attacker using a crafted HTTP message with a malformed QUERY STRING, potentially allowing the execution of arbitrary code. **Recommendations** For DrayTek Vigor 2960 version 1.5.1.3 and earlier, update to a version later than 1.5.1.3. For DrayTek Vigor 3900 version 1.5.1.3 and earlier, update to a version later than 1.5.1.3. For DrayTek Vigor 300B version 1.5.1.3 and earlier, update to a version later than 1.5.1.3. As a temporary workaround, consider restricting access to the mainfunction.cgi file until a patch is available.

Name of the Vulnerable Software and Affected Versions: D-Link DSR-250 version 3.14 D-Link DSR-1000N version 2.11B201 Description: The UPnP service in the affected devices contains a command injection issue, which can lead to remote command execution. Recommendations: For D-Link DSR-250 version 3.14, consider disabling the UPnP service until a patch is available. For D-Link DSR-1000N version 2.11B201, consider disabling the UPnP service until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.