Christian Zäske

A local attacker can perform a confusion attack on the cfgparser via a specially crafted file on an USB stick leading to code execution. This can result in a total loss of confidentiality, integrity and availability.

A highly authenticated attacker can alter the config generator injecting a payload into future created configurations. The device is not correctly checking this configuration value before passing it to an system execute leading to code execution. This can result in a total loss of confidentiality, integrity and availability.

Name of the Vulnerable Software and Affected Versions versions not specified Description An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the `getinfo` endpoint due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** versions prior to 2026-33613 **Description** A remote attacker can exploit an RCE vulnerability due to the improper neutralisation of special elements used in an OS command within the `generateSrpArray()` function, potentially leading to full system compromise. This attack requires the attacker to have a pre-existing ability to write arbitrary data to the user table. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions MB connect line mbCONNECT24 (affected versions not specified) Description An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the `setinfo` endpoint due to improper neutralization of special elements in a SQL UPDATE command. This can result in a total loss of integrity and availability. Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** versions prior to 2026-33616 **Description** An unauthenticated remote attacker can exploit an unauthenticated blind SQL Injection vulnerability in the `mb24api` endpoint due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions The product name cannot be determined. (affected versions not specified) Description An unauthenticated remote attacker can access a configuration file containing database credentials, potentially leading to a loss of confidentiality. There is no exposed endpoint to utilize these credentials. Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** com mb24sysapi module (affected versions not specified) **Description** An unauthenticated remote attacker can exploit a remote code execution issue in the com mb24sysapi module, potentially leading to full system compromise. The root cause is the improper neutralisation of special elements used in an OS command. This is a variant of a previously known issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

An unauthenticated remote attacker can exploit a Pre-Auth blind SQL Injection vulnerability in the userinfo endpoint’s authentication method due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

**Name of the Vulnerable Software and Affected Versions** MR9600 versions 1.0.4.205530 MX4200 versions 1.0.13.210200 **Description** The software contains a flaw due to improper neutralization of special elements, allowing for SQL statement injection during the TLS-SRP connection handshake. This injection can introduce known credentials into the database, potentially enabling successful handshake completion and access to the protected service. **Recommendations** Update MR9600 to a version later than 1.0.4.205530. Update MX4200 to a version later than 1.0.13.210200.

**Name of the Vulnerable Software and Affected Versions** MR9600 versions 1.0.4.205530 MX4200 versions 1.0.13.210200 **Description** The issue stems from a lack of proper handling of special characters, allowing for the injection of OS commands through the update functionality associated with a TLS-SRP connection. This connection is typically used for device configuration within a mesh network. The vulnerability allows an attacker to inject and execute arbitrary OS commands. The vulnerable functionality is related to the update process and the TLS-SRP connection. **Recommendations** MR9600 version 1.0.4.205530: At the moment, there is no information about a newer version that contains a fix for this vulnerability. MX4200 version 1.0.13.210200: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** EGroupware versions prior to 23.1.20240624 **Description** The issue arises from the mishandling of an ORDER BY clause, leading to SQL injection by authenticated users when sorting Address Book or InfoLog. This specifically affects the "json.php?menuaction=EGroupwareApiEtemplateWidgetNextmatch::ajax get rows" endpoint, where the `sort.id` parameter is vulnerable. **Recommendations** For versions prior to 23.1.20240624, update to version 23.1.20240624 or later to resolve the issue. As a temporary workaround, consider restricting access to the "json.php?menuaction=EGroupwareApiEtemplateWidgetNextmatch::ajax get rows" endpoint to minimize the risk of exploitation. Additionally, avoid using the `sort.id` parameter in the affected endpoint until the issue is resolved.