Carsten Eiram

**Name of the Vulnerable Software and Affected Versions** Crestron Electronics DM-TXRX-100-STR devices with firmware prior to 1.3039.00040 **Description** The issue allows remote attackers to obtain access by setting the value of `objresp.authenabled` to 1, due to the device relying on the client to perform authentication. **Recommendations** For Crestron Electronics DM-TXRX-100-STR devices with firmware prior to 1.3039.00040, update the firmware to version 1.3039.00040 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Crestron Electronics DM-TXRX-100-STR devices with firmware through 1.3039.00040 **Description** The issue concerns multiple cross-site request forgery (CSRF) vulnerabilities. These vulnerabilities allow remote attackers to hijack the authentication of arbitrary users. **Recommendations** For Crestron Electronics DM-TXRX-100-STR devices with firmware through 1.3039.00040, update the firmware to a version later than 1.3039.00040 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Crestron Electronics DM-TXRX-100-STR devices with firmware prior to 1.3039.00040 **Description** The issue allows remote attackers to obtain access via the web management interface due to a hardcoded password of `admin` for the `admin` account. **Recommendations** For devices with firmware prior to 1.3039.00040, update the firmware to version 1.3039.00040 or later to change the hardcoded password. As a temporary workaround, consider restricting access to the web management interface until the firmware can be updated.

**Name of the Vulnerable Software and Affected Versions** Crestron Electronics DM-TXRX-100-STR devices with firmware prior to 1.3039.00040 **Description** The issue allows remote attackers to conduct man-in-the-middle attacks against HTTPS sessions. This is due to the use of a hardcoded X.509 certificate from an OpenSSL Test Certification Authority, which creates a trust relationship that can be exploited. **Recommendations** For Crestron Electronics DM-TXRX-100-STR devices with firmware prior to 1.3039.00040, update the firmware to version 1.3039.00040 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Crestron Electronics DM-TXRX-100-STR devices with firmware prior to 1.3039.00040 **Description** The issue allows remote attackers to bypass authentication and change settings via a JSON API call. **Recommendations** For devices with firmware prior to 1.3039.00040, update the firmware to version 1.3039.00040 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Crestron Electronics DM-TXRX-100-STR devices with firmware prior to 1.3039.00040 **Description** The issue allows remote attackers to bypass authentication by making a direct request to a page other than index.html. **Recommendations** For Crestron Electronics DM-TXRX-100-STR devices with firmware prior to 1.3039.00040, update the firmware to version 1.3039.00040 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Moxa SoftCMS versions 1.3 and prior **Description** The issue is related to a buffer overflow condition that may cause the system to crash or allow remote code execution. Technical details include the exploitation of various components and methods, such as `IVLCControl` `setStreamRecordData`, `RTSPVIDEO.rtspvideoCtrl.1` `Open3`, `IVLCControl` `setRecordPrefix`, `VLCControl` `setUserInfoData` `strIP`, `RTSPVIDEO.rtspvideoCtrl.1` `AudioRecord` method `fullfilename` parameter, `RTSPVIDEO.rtspvideoCtrl.1` `Open` and `Open2`, `VLCPlugin` ActiveX Control `setUserInfoData` `strUserName`, and `IVLCControl` `setConfigPath`. **Recommendations** For Moxa SoftCMS versions 1.3 and prior, update to version 1.4 or later, as released by Moxa on June 1, 2015, to address the issue. As a temporary workaround, consider disabling the `IVLCControl` `setStreamRecordData`, `RTSPVIDEO.rtspvideoCtrl.1` `Open3`, `IVLCControl` `setRecordPrefix`, `VLCControl` `setUserInfoData` `strIP`, `RTSPVIDEO.rtspvideoCtrl.1` `AudioRecord` method, `RTSPVIDEO.rtspvideoCtrl.1` `Open` and `Open2`, `VLCPlugin` ActiveX Control `setUserInfoData` `strUserName`, and `IVLCControl` `setConfigPath` functions until a patch is available. Restrict access to the vulnerable components to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Moxa SoftCMS versions 1.3 and prior **Description** The issue is related to a buffer overflow condition that may cause the system to crash or allow remote code execution. The `ip` argument in the `AudioRecord` method of `RTSPVIDEO.rtspvideoCtrl.1` is vulnerable to remote code execution. **Recommendations** For Moxa SoftCMS versions 1.3 and prior, update to version 1.4 or later, which was released by Moxa on June 1, 2015, to address the issue. As a temporary workaround, consider restricting access to the `RTSPVIDEO.rtspvideoCtrl.1` module and the `AudioRecord` method to minimize the risk of exploitation. Avoid using the `ip` argument in the affected method until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** 3S Pocketnet Tech VMS (affected versions not specified) **Description** The issue concerns multiple buffer overflows in the PocketNetNVRMediaClientAxCtrl.NVRMediaViewer.1 control, allowing remote attackers to execute arbitrary code. This can be achieved via a crafted string to various methods, including `StartRecord()`, `StartRecordEx()`, `StartScheduledRecord()`, `SetDisplayText()`, `GetONVIFDeviceInformation()`, `GetONVIFProfiles()`, and `GetONVIFStreamUri()`, or a crafted filename to `SaveCurrentImage()` or `SaveCurrentImageEx()`. No information is provided about the estimated number of potentially affected devices or real-world incidents. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NTR ActiveX control versions prior to 2.0.4.8 **Description** The issue allows remote attackers to execute arbitrary code via a crafted `lModule` parameter that triggers use of an arbitrary memory address as a function pointer. This occurs in the `StopModule` method. **Recommendations** For versions prior to 2.0.4.8, update to version 2.0.4.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the `StopModule` method until a patch is applied. Avoid using the `lModule` parameter in the affected method until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** NTR ActiveX control versions prior to 2.0.4.8 **Description** The issue allows remote attackers to execute arbitrary code due to multiple stack-based buffer overflows. This can occur through various methods, including a long `bstrUrl` parameter to the `StartModule` method, a long `bstrParams` parameter to the `Check` method, or a long `bstrUrl` parameter to the `Download` or `DownloadModule` method during the construction of a .ntr pathname or a URL. **Recommendations** For versions prior to 2.0.4.8, update to version 2.0.4.8 or later to resolve the issue. As a temporary workaround, consider restricting the length of the `bstrUrl` and `bstrParams` parameters to prevent buffer overflows. Additionally, restrict access to the `StartModule`, `Check`, `Download`, and `DownloadModule` methods to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Microsoft Office XP SP3 Microsoft Office Converter Pack **Description** A buffer overflow issue exists in the TIFF image converter within the graphics filters of the affected software, allowing remote attackers to execute arbitrary code through a crafted TIFF image in an Office document. **Recommendations** For Microsoft Office XP SP3, update to a version that includes the fix for the TIFF image converter buffer overflow issue. For Microsoft Office Converter Pack, update to a version that includes the fix for the TIFF image converter buffer overflow issue.

**Name of the Vulnerable Software and Affected Versions** Apple Mac OS X versions 10.6.x through 10.6.4 QuickTime versions prior to 10.6.5 **Description** The issue is caused by an array-indexing error when parsing Sorenson Video 3 content, which can lead to memory corruption during decompression via a specially crafted file. This can be exploited to execute arbitrary code or cause a denial of service, resulting in a memory corruption and application crash. **Recommendations** For Apple Mac OS X versions 10.6.x through 10.6.4, update to version 10.6.5 or later to resolve the issue. For other affected versions of QuickTime, update to a version that includes the fix for the Sorenson Video Codec decoding issue. As a temporary workaround, consider avoiding the use of Sorenson Video 3 content in QuickTime until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 4.0.249.78 **Description** A use-after-free issue allows remote attackers to cause a denial of service or possibly execute arbitrary code via vectors involving the display of a blocked popup window during navigation to a different web site. **Recommendations** For versions prior to 4.0.249.78, update to version 4.0.249.78 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Mozilla Firefox versions prior to 3.0.11 Description: A race condition in the NPObjWrapper NewResolve function might allow remote attackers to execute arbitrary code via a page transition during Java applet loading, related to a use-after-free vulnerability for memory associated with a destroyed Java object. Recommendations: For versions prior to 3.0.11, update to version 3.0.11 or later to resolve the issue. As a temporary workaround, consider disabling Java applet loading until a patch is available. Restrict access to pages that load Java applets to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apple QuickTime versions prior to 7.6.2 **Description** The issue allows remote attackers to execute arbitrary code or cause a denial of service, resulting in memory corruption and application crash, via a crafted movie composed of a Sorenson 3 video file. **Recommendations** For versions prior to 7.6.2, update to version 7.6.2 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Microsoft Visual Basic 6.0 Microsoft Visual FoxPro versions 8.0 SP1 through 9.0 SP2 Description: The issue is related to multiple integer overflows in the Hierarchical FlexGrid ActiveX control, which allows remote attackers to execute arbitrary code. This is achieved by crafting specific properties, such as `Rows` and `Cols`, to the `ExpandAll` and `CollapseAll` methods. The exploitation is linked to the access of incorrectly initialized objects and the corruption of the system state. Recommendations: For Microsoft Visual Basic 6.0, update to a version that includes the fix for the Hierarchical FlexGrid Control Memory Corruption issue. For Microsoft Visual FoxPro versions 8.0 SP1 through 9.0 SP2, update to a version that includes the fix for the Hierarchical FlexGrid Control Memory Corruption issue. As a temporary workaround, consider restricting access to the Hierarchical FlexGrid ActiveX control until a patch is available.

Name of the Vulnerable Software and Affected Versions: Novell iPrint Client versions 4.x before 4.38 Novell iPrint Client versions 5.x before 5.08 Description: The issue is related to multiple heap-based buffer overflows in the IppCreateServerRef function. This can be exploited by remote attackers to execute arbitrary code via a long argument to certain functions in the Novell iPrint ActiveX control. The affected functions include `GetPrinterURLList`, `GetPrinterURLList2`, and `GetFileList2`. Recommendations: For Novell iPrint Client versions 4.x before 4.38, update to version 4.38 or later. For Novell iPrint Client versions 5.x before 5.08, update to version 5.08 or later.

**Name of the Vulnerable Software and Affected Versions** Microsoft Internet Explorer versions 5.01 SP4 through 7 **Description** A use-after-free issue allows remote attackers to execute arbitrary code via a crafted data stream that triggers memory corruption. This can be achieved by constructing a specially crafted Web page that exploits the way Internet Explorer processes data streams. If successfully exploited, an attacker could gain the same user rights as the logged on user. **Recommendations** For Microsoft Internet Explorer versions 5.01 SP4 through 7, consider restricting access to untrusted web pages until a fix is available. As a temporary workaround, avoid using Internet Explorer to view potentially malicious web content. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Agent versions in Windows 2000 SP4, XP SP2, and Server 2003, 2003 SP1, and 2003 SP2 **Description** A remote code execution issue exists in the way Microsoft Agent handles certain specially crafted URLs, resulting in memory corruption. This allows remote attackers to execute arbitrary code. **Recommendations** For Windows 2000 SP4, XP SP2, and Server 2003, 2003 SP1, and 2003 SP2, at the moment, there is no information about a newer version that contains a fix for this vulnerability.