Cyrille Chatras

**Name of the Vulnerable Software and Affected Versions** NVIDIA Mellanox OS, ONYX, Skyway, and MetroX-3 XCC (affected versions not specified) **Description** The vulnerable software contains a vulnerability in the web support, where an attacker can cause a CGI path traversal by a specially crafted URI. A successful exploit of this vulnerability might lead to escalation of privileges and information disclosure. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QEMU (affected versions not specified) **Description** A use-after-free vulnerability was found in the QEMU LSI53C895A SCSI Host Bus Adapter emulation. This issue can lead to a crash or VM escape, potentially allowing an attacker to escalate privileges and execute arbitrary code. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TP-Link Tapo C210 (affected versions not specified) **Description** This issue allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Tapo C210 IP cameras. Although authentication is required to exploit this issue, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of the `ActiveCells` parameter of the "CreateRules" and "ModifyRules" APIs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this issue to execute code in the context of root. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** TP-Link Tapo C210 (affected versions not specified) **Description** This issue allows network-adjacent attackers to bypass authentication on affected installations of TP-Link Tapo C210 IP cameras. The specific flaw exists within the password recovery mechanism, which relies on the secrecy of the password derivation algorithm when generating a recovery password. An attacker can leverage this vulnerability to bypass authentication on the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco SD-WAN Software (affected versions not specified) Cisco SD-WAN vBond Orchestrator Cisco SD-WAN vEdge Cloud Routers Cisco SD-WAN vEdge Routers Cisco SD-WAN vSmart Controller Cisco SD-WAN vManage **Description** A flaw exists in the Command Line Interface (CLI) of Cisco SD-WAN Software that could allow an authenticated, local attacker to gain elevated privileges. This is due to insufficient access controls on commands within the application CLI. An attacker could exploit this by executing a malicious command on the CLI, potentially allowing them to execute arbitrary commands as the root user. The vulnerability involves incorrect restriction of the path name to an access-restricted directory. **Recommendations** Update to a newer version of Cisco SD-WAN Software that addresses this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TP-Link TL-WR841N versions TL-WR841N(US) V14 220121 **Description** This issue allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link TL-WR841N routers. Although authentication is required to exploit this issue, the existing authentication mechanism can be bypassed. The specific flaw exists within the `ated tp` service. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this issue to execute code in the context of root. **Recommendations** For TP-Link TL-WR841N version TL-WR841N(US) V14 220121, as a temporary workaround, consider disabling the `ated tp` service until a patch is available. Restrict access to the `ated tp` service to minimize the risk of exploitation. Avoid using user-supplied strings in the affected system call until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Cisco Enterprise NFV Infrastructure Software (NFVIS) (affected versions not specified) **Description** The issue is related to multiple vulnerabilities in Cisco Enterprise NFV Infrastructure Software (NFVIS) that could allow an attacker to escape from the guest virtual machine (VM) to the host machine, inject commands that execute at the root level, or leak system data from the host to the VM. A vulnerability in the next-generation input/output (NGIO) function is associated with inadequate access control, which can be exploited by a remote attacker to elevate privileges by sending an API call from a virtual machine. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco IOx (affected versions not specified) **Description** Multiple vulnerabilities in the Cisco IOx application hosting environment on multiple Cisco platforms could allow an attacker to inject arbitrary commands into the underlying host operating system, execute arbitrary code on the underlying host operating system, install applications without being authenticated, or conduct a cross-site scripting (XSS) attack against a user of the affected software. The vulnerability exists due to incorrect restriction of the directory path name with limited access. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco IOx (affected versions not specified) **Description** The issue allows an attacker to inject arbitrary commands into the underlying host operating system, execute arbitrary code on the underlying host operating system, install applications without being authenticated, or conduct a cross-site scripting (XSS) attack against a user of the affected software. This is due to incorrect restriction of the directory path name with limited access. Exploitation may allow a remote attacker to read or write arbitrary files in the system by sending a specially crafted HTTP request. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco IOx (affected versions not specified) **Description** Multiple vulnerabilities in the Cisco IOx application hosting environment on multiple Cisco platforms could allow an attacker to inject arbitrary commands into the underlying host operating system, execute arbitrary code on the underlying host operating system, install applications without being authenticated, or conduct a cross-site scripting (XSS) attack against a user of the affected software. The vulnerability exists due to incorrect restriction of the directory path name with limited access. Exploitation of the vulnerability may allow a remote attacker to read arbitrary files using a specially crafted HTTP request. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco IOx (affected versions not specified) **Description** Multiple vulnerabilities in the Cisco IOx application hosting environment on multiple Cisco platforms could allow an attacker to inject arbitrary commands into the underlying host operating system, execute arbitrary code on the underlying host operating system, install applications without being authenticated, or conduct a cross-site scripting (XSS) attack against a user of the affected software. The vulnerability is caused by errors in synchronization when using a shared resource. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco IOx (affected versions not specified) **Description** The issue exists due to incorrect restriction of the directory path name with limited access. An attacker could inject arbitrary commands into the underlying host operating system, execute arbitrary code on the host, install applications without authentication, or conduct a cross-site scripting (XSS) attack against a user of the affected software. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco IOx (affected versions not specified) **Description** The issue allows an attacker to inject arbitrary commands into the underlying host operating system, execute arbitrary code on the underlying host operating system, install applications without being authenticated, or conduct a cross-site scripting (XSS) attack against a user of the affected software. This is due to incorrect restriction of the directory path name with limited access. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco IOx (affected versions not specified) **Description** The issue exists due to incorrect restriction of the directory path name with limited access. An attacker could inject arbitrary commands into the underlying host operating system, execute arbitrary code on the host, install applications without authentication, or conduct a cross-site scripting (XSS) attack against a user of the affected software. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco IOx (affected versions not specified) **Description** The issue exists due to inadequate protection of the web page structure in the Cisco IOx application hosting environment on multiple Cisco platforms. This could allow an attacker to inject arbitrary commands into the underlying host operating system, execute arbitrary code on the underlying host operating system, install applications without being authenticated, or conduct a cross-site scripting (XSS) attack against a user of the affected software. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Enterprise NFV Infrastructure Software (NFVIS) (affected versions not specified) **Description** The issue is related to insufficient access control in the image registration process of Cisco Enterprise NFV Infrastructure Software (NFVIS), which could allow a remote attacker to execute arbitrary commands by installing a virtual machine image with crafted metadata. Additionally, there are multiple vulnerabilities that could enable an attacker to escape from a guest virtual machine to the host machine, inject commands that execute at the root level, or leak system data from the host to the VM. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Enterprise NFV Infrastructure Software (NFVIS) (affected versions not specified) **Description** The issue concerns multiple vulnerabilities in Cisco Enterprise NFV Infrastructure Software (NFVIS) that could allow an attacker to escape from the guest virtual machine (VM) to the host machine, inject commands that execute at the root level, or leak system data from the host to the VM. One of the vulnerabilities is related to the incorrect restriction of XML links to external objects in the software import function, which could allow a remote attacker to disclose protected information using specially crafted XML code. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Enterprise NFV Infrastructure Software (NFVIS) (affected versions not specified) **Description** A vulnerability in the TACACS+ authentication feature could allow an unauthenticated, remote attacker to bypass authentication and log in to an affected device as an administrator. This issue is due to incomplete validation of user-supplied input passed to an authentication script. An attacker could exploit this by injecting parameters into an authentication request, potentially allowing them to bypass authentication and log in as an administrator. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FortiManager versions 6.2.7 and below, 6.4.5 and below FortiManager versions 6.2.x, 6.0.x, 5.6.x FortiAnalyzer versions 6.2.7 and below, 6.4.5 and below FortiAnalyzer versions 6.2.x, 6.0.x, 5.6.x FortiPortal versions 5.2.5 and below, 5.3.5 and below, 6.0.4 and below **Description** The command line interface of the affected software has multiple OS command injection vulnerabilities, which may allow a local authenticated and unprivileged user to execute arbitrary shell commands as root via specifically crafted CLI command parameters. This issue is related to the lack of measures to neutralize special elements used in operating system commands. **Recommendations** For FortiManager versions 6.2.7 and below, 6.4.5 and below, and all versions of 6.2.x, 6.0.x, and 5.6.x, consider disabling the command line interface until a patch is available. For FortiAnalyzer versions 6.2.7 and below, 6.4.5 and below, and all versions of 6.2.x, 6.0.x, and 5.6.x, consider disabling the command line interface until a patch is available. For FortiPortal versions 5.2.5 and below, 5.3.5 and below, and 6.0.4 and below, consider disabling the command line interface until a patch is available. As a temporary workaround, consider restricting access to the command line interface to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Juniper Networks Junos OS versions 17.2R1 through 18.3R3-S4 Juniper Networks Junos OS versions 18.4 through 18.4R2-S5 Juniper Networks Junos OS versions 18.4R3 through 18.4R3-S5 Juniper Networks Junos OS versions 19.1 through 19.1R1-S3 Juniper Networks Junos OS versions 19.1R2 through 19.2R3 Juniper Networks Junos OS versions 19.3 through 19.3R3 Juniper Networks Junos OS versions 19.4 through 19.4R2-S2 Description: The issue affects NFX Series devices using Juniper Networks Junos OS, allowing an attacker to elevate their privileges via the Junos Device Management Daemon (JDMD) process. This is a local command execution issue. The JDMD process is used by Junos Node Slicing, but this issue does not affect External Servers used in conjunction with Junos Node Slicing and In-Chassis Junos Node Slicing on MX480, MX960, MX2008, MX2010, MX2020. Recommendations: For versions 17.2R1 through 18.3R3-S4, update to version 18.3R3-S4 or later. For versions 18.4 through 18.4R2-S5, update to version 18.4R2-S5 or later. For versions 18.4R3 through 18.4R3-S5, update to version 18.4R3-S5 or later. For versions 19.1 through 19.1R1-S3, update to version 19.1R1-S3 or later. For versions 19.1R2 through 19.2R3, update to version 19.2R3 or later. For versions 19.3 through 19.3R3, update to version 19.3R3 or later. For versions 19.4 through 19.4R2-S2, update to version 19.4R2-S2 or later.