Dahua966

Name of the Vulnerable Software and Affected Versions: MODX CMS version 2.7.3 Description: A XML External Entity (XXE) vulnerability was discovered in the modRestServiceRequest component which can lead to an information disclosure or denial of service (DOS). Recommendations: For MODX CMS version 2.7.3, consider disabling the modRestServiceRequest component until a patch is available to prevent potential information disclosure or denial of service attacks.

Name of the Vulnerable Software and Affected Versions: Symphony version 2.7.10 Description: A XML External Entity (XXE) vulnerability was discovered in symphonylibtoolkitclass.xmlelement.php which can lead to an information disclosure or denial of service (DOS). Recommendations: For Symphony version 2.7.10, consider disabling the `class.xmlelement.php` file in the `symphonylibtoolkit` directory as a temporary workaround until a patch is available. Restrict access to the vulnerable `class.xmlelement.php` file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** DotPlant2 versions prior to 2020-09-14 **Description** An issue was discovered in the Pay2PayPayment class in payment/Pay2PayPayment.php, where there is an XXE vulnerability in the `checkResult()` function. The user input (`$ POST['xml']`) is used for `simplexml load string` without sanitization. This issue only affects products that are no longer supported by the maintainer. **Recommendations** For versions prior to 2020-09-14, as a temporary workaround, consider disabling the `checkResult()` function in the Pay2PayPayment class until a patch is available. Restrict access to the `payment/Pay2PayPayment.php` file to minimize the risk of exploitation. Avoid using the `$ POST['xml']` input in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DIR-859 versions A3 D-Link DIR-850L version A1.13 **Description** The issue is related to the etc/services/DEVICE.TIME.php component of the D-Link DIR-859 A3 and D-Link DIR-850L A microprogrammed software for wireless routers. It is associated with the failure to neutralize special elements used in the operating system command. Exploitation of this issue may allow a remote attacker to execute arbitrary code using the `$ SERVER` array. The `/etc/services/DEVICE.TIME.php` file allows command injection via the `$SERVER` variable. **Recommendations** For D-Link DIR-859 version A3, consider disabling the `DEVICE.TIME.php` component until a patch is available. For D-Link DIR-850L version A1.13, restrict access to the `/etc/services/DEVICE.TIME.php` file to minimize the risk of exploitation. Avoid using the `$ SERVER` variable in the affected API endpoint until the issue is resolved.