Craig Young

Name of the Vulnerable Software and Affected Versions: DD-WRT version 24-sp2 Description: A Command Injection issue exists due to a CSRF in DD-WRT, allowing a remote malicious user to cause a Denial of Service by using specially crafted configuration values that contain shell meta-characters. Recommendations: For DD-WRT version 24-sp2, as a temporary workaround, consider restricting access to configuration values to minimize the risk of exploitation. Avoid using configuration values that contain shell meta-characters until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Cisco Linksys WRT110 (affected versions not specified) Description: A cross-site request forgery (CSRF) issue allows remote attackers to hijack user authentication for requests with unspecified impact. The exact vectors used for this exploitation are not specified. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Loftek Nexus 543 IP Camera (affected versions not specified) **Description** The issue allows remote attackers to obtain sensitive information, including IP addresses, firmware versions, timestamp, serial number, p2p port number, and wifi status. This can be achieved by sending a request to specific API endpoints, such as "get realip.cgi" for IP addresses or "get status.cgi" for other device information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MiniUPnPd (affected versions not specified) **Description** The issue concerns an information disclosure problem related to the use of snprintf() in MiniUPnPd. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sonos wireless speaker products (affected versions not specified) **Description** The issue allows unauthorized access to the device via a DNS rebinding attack on the UPnP HTTP server. This can lead to remote device control and the exfiltration of privileged device and network information by an attacker. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Roku and Roku TV products (affected versions not specified) **Description** The issue allows unauthorized access to the device via a DNS Rebind attack, potentially resulting in remote device control and the exfiltration of privileged device and network information by an attacker. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Google Home and Chromecast devices (affected versions not specified, but versions before mid-July 2018 are impacted) **Description** The issue concerns a lack of protection against DNS rebinding attacks in the API service of the affected devices. This allows remote attackers to determine the physical location of most web browsers by leveraging the presence of one of these devices on its local network. Attackers can extract the `scan results` JSON data, specifically the `bssid` fields, and send these fields in a "geolocation/v1/geolocate" Google Maps Geolocation API request to obtain location information. **Recommendations** For Google Home and Chromecast devices before mid-July 2018, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apache HTTP Server versions 2.4.18 through 2.4.30, 2.4.33 **Description** The issue is related to the allocation of workers in response to specially crafted HTTP/2 requests, leading to worker exhaustion and a denial of service. This can be exploited by sending specially crafted HTTP/2 requests, allowing a remote attacker to cause a denial of service. The issue only affects servers that have configured and enabled HTTP/2 support. **Recommendations** For versions 2.4.18 through 2.4.30, 2.4.33, update to Apache HTTP Server 2.4.34 to resolve the issue. As a temporary workaround, consider disabling HTTP/2 support to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Radio Thermostat CT50 and CT80 versions 1.04.84 and below **Description** The issue allows unauthorized access to the Local HTTP API via a DNS rebinding attack, potentially enabling remote control of device temperature. This could be exploited to alter a home's target temperature, as demonstrated by sending a `t heat` request to a device. **Recommendations** For Radio Thermostat CT50 and CT80 versions 1.04.84 and below, consider restricting access to the Local HTTP API to minimize the risk of exploitation. Avoid using the `tstat` API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Erlang (affected versions not specified) Description: The issue is related to the disclosure of information through inconsistency in the Erlang language interpreter. It may allow a remote attacker to gain access to confidential data. Specifically, the Erlang otp TLS server responds with different TLS alerts to various error types in the RSA PKCS #1 1.5 padding, enabling an attacker to decrypt content or sign messages with the server's private key, which is a variation of the Bleichenbacher attack. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MatrixSSL versions prior to 3.8.6 **Description** The issue allows remote attackers to cause a denial of service by freeing unallocated memory via a crafted X.509 certificate. **Recommendations** For versions prior to 3.8.6, update to version 3.8.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** MatrixSSL versions prior to 3.8.6 **Description** The issue allows remote attackers to cause a denial of service, resulting in an out-of-bounds read. This occurs when a crafted ASN.1 Bit Field primitive is present in an X.509 certificate. **Recommendations** For versions prior to 3.8.6, update to version 3.8.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** MatrixSSL versions prior to 3.8.6 **Description** The issue is caused by a heap-based buffer overflow in the dynamic memory of MatrixSSL. This can be exploited by a remote attacker to execute arbitrary code using a specially crafted X.509 certificate with a `Subject Alt Name`. **Recommendations** For versions prior to 3.8.6, update to version 3.8.6 or later to resolve the issue. As a temporary workaround, consider restricting the use of X.509 certificates with specially crafted `Subject Alt Name` fields until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Apple OS X versions prior to 10.11 **Description** The issue is related to a component in Mac OS X, specifically the Notes application, which lacks protection for certain data. This can be exploited by a local attacker to gain access to sensitive information. The problem arises from the misparsing of links, allowing local users to obtain sensitive information. **Recommendations** For Apple OS X versions prior to 10.11, update to version 10.11 or later to resolve the issue. As a temporary workaround, consider restricting access to the Notes application until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 8.4 **Description** The issue allows remote Wi-Fi access points to trigger an automatic association with an arbitrary security type by operating with a recognized ESSID within an 802.11 network's coverage area. This can be done when the WiFi Connectivity feature is enabled. **Recommendations** For versions prior to 8.4, update to version 8.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Microsoft Internet Explorer versions 9 through 11 **Description** The issue allows remote attackers to bypass the Same Origin Policy and inject arbitrary web script or HTML. This is achieved through vectors involving an IFRAME element that triggers a redirect, a second IFRAME element that does not trigger a redirect, and an eval of a WindowProxy object. An elevation of privilege vulnerability exists when Internet Explorer does not properly enforce cross-domain policies, which could allow an attacker to access information from one domain and inject it into another domain. **Recommendations** For Microsoft Internet Explorer versions 9 through 11, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apple OS X versions prior to 10.10 **Description** The issue allows remote attackers to discover the network addresses of all interfaces via an unspecified command to one interface. **Recommendations** For Apple OS X versions prior to 10.10, update to version 10.10 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** ASUS RT-AC68U and other RT series routers versions prior to 3.0.0.4.374.5047 **Description** The issue allows remote authenticated users to execute arbitrary commands via shell metacharacters in the `destIP` parameter in the Target field of the Network Analysis tab, which is accessed through the "Main Analysis Content.asp" page. **Recommendations** For versions prior to 3.0.0.4.374.5047, update the firmware to version 3.0.0.4.374.5047 or later to resolve the issue. As a temporary workaround, consider restricting access to the Network Analysis tab or avoiding the use of shell metacharacters in the Target field until the firmware is updated.

**Name of the Vulnerable Software and Affected Versions** Review Board versions 1.6.x through 1.6.17 Review Board versions 1.7.x through 1.7.11 **Description** A cross-site scripting (XSS) issue exists in the Submitters list, allowing remote attackers to inject arbitrary web script or HTML via a user's full name. **Recommendations** For Review Board versions 1.6.x through 1.6.17, update to version 1.6.18 or later. For Review Board versions 1.7.x through 1.7.11, update to version 1.7.12 or later.

**Name of the Vulnerable Software and Affected Versions** Review Board versions 1.6.x through 1.6.16 Review Board versions 1.7.x through 1.7.9 **Description** A cross-site scripting (XSS) issue exists in the auto-complete widget, allowing remote attackers to inject arbitrary web script or HTML via a full name. This is due to a vulnerability in the htdocs/media/rb/js/reviews.js file. **Recommendations** For Review Board versions 1.6.x through 1.6.16, update to version 1.6.17 or later. For Review Board versions 1.7.x through 1.7.9, update to version 1.7.10 or later.