Caoyebo

**Name of the Vulnerable Software and Affected Versions** Tenda AC6 version US AC6V5.0re V03.03.02.01 cn TDC01 **Description** A stack overflow issue allows attackers to run arbitrary commands via a crafted POST request to "/goform/PowerSaveSet". This can be exploited by sending a specifically designed request to the mentioned endpoint. **Recommendations** For Tenda AC6 version US AC6V5.0re V03.03.02.01 cn TDC01, as a temporary workaround, consider restricting access to the "/goform/PowerSaveSet" endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Tenda AC21 version US AC21V1.0re V16.03.08.15 cn TDC01 **Description** A stack overflow issue allows attackers to run arbitrary commands via a crafted POST request to the "/goform/openSchedWifi" API endpoint. This enables potential exploitation for malicious activities. **Recommendations** For Tenda AC21 version US AC21V1.0re V16.03.08.15 cn TDC01, as a temporary workaround, consider restricting access to the "/goform/openSchedWifi" API endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Tenda AC23 version US AC23V1.0re V16.03.07.45 cn TDC01 **Description** A stack overflow issue allows attackers to execute arbitrary commands via the `schedStartTime` parameter. **Recommendations** For Tenda AC23 version US AC23V1.0re V16.03.07.45 cn TDC01, avoid using the `schedStartTime` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Auto Rename Media On Upload WordPress plugin versions prior to 1.1.0 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example, in a multisite setup. This is due to the plugin not sanitizing and escaping some of its settings. **Recommendations** For versions prior to 1.1.0, update to version 1.1.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's settings for high privilege users until the update is applied.

**Name of the Vulnerable Software and Affected Versions** D-Link Dir 816 version DIR-816 A2 v1.10CNB04 **Description** The issue is related to a Command Injection vulnerability that allows attackers to run arbitrary commands via the `urlAdd` parameter. This can potentially enable a remote attacker to elevate privileges and execute arbitrary commands. The vulnerability is associated with a buffer overflow in memory due to the lack of neutralization of special elements used in the operating system command when processing the `urlAdd` parameter. **Recommendations** For version DIR-816 A2 v1.10CNB04, consider disabling access to the `urlAdd` parameter until a patch is available to prevent exploitation. Restricting access to this parameter can help minimize the risk of command injection attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DIR-882 A1 version DIR882A1 FW130B06 **Description** The issue is related to the implementation of the HNAP1 protocol in the D-Link DIR-882 A1 wireless router's firmware, which fails to neutralize special elements used in operating system commands. This can be exploited by a remote attacker to elevate privileges and execute arbitrary commands by sending a specially crafted POST request to the `/HNAP1/` API endpoint. **Recommendations** For version DIR882A1 FW130B06, consider disabling the `/HNAP1/` API endpoint until a patch is available to prevent exploitation. Restrict access to the HNAP1 protocol to minimize the risk of command injection attacks. Avoid using the HNAP1 protocol for remote administration until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.