Cl0Wnk1N9

Name of the Vulnerable Software and Affected Versions: TOTOLINK A720R version 4.1.5 Description: A critical vulnerability has been found, affecting the `exportOvpn` function, which leads to os command injection. The attack can be launched remotely, with a rather high complexity and difficult exploitability. The vendor was contacted about this disclosure but did not respond. There have been reports of offensive activities targeting this vulnerability. Recommendations: For TOTOLINK A720R version 4.1.5, as a temporary workaround, consider disabling the `exportOvpn` function until a patch is available. Restrict access to the vulnerable function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Metabase (affected versions not specified) **Description** The issue concerns Metabase, an open source business intelligence and analytics application, specifically affecting users who make use of SQLite. SQLite has a feature called `ATTACH DATABASE`, which allows connecting multiple SQLite databases via the initial connection. If an attacker has SQL permissions to at least one SQLite database, they can attach this database to a second database and query across all the tables, provided they also know the file path to the second database. **Recommendations** To resolve the issue, users are advised to upgrade as soon as possible. If you're unable to upgrade, you can modify your SQLite connection strings to contain the url argument `?limit attached=0`, which will disallow making connections to other SQLite databases.