Derrie Sutton

Name of the Vulnerable Software and Affected Versions: (affected versions not specified) Description: A non-primary administrator user with admin rights to the web interface, but without shell access permissions, can view the device configuration, including the master admin password. This also allows the user to gain shell access with root group ID. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenCATS (affected versions not specified) **Description** Cross-site request forgery is facilitated by OpenCATS' failure to require CSRF tokens in POST requests. An attacker can exploit this issue by creating a dummy page that executes Javascript in an authenticated user's session when visited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** Improper neutralization of input during web page generation allows an authenticated attacker with access to a restricted account to submit malicious Javascript as the description for a calendar event. This malicious Javascript would then be executed in other users' browsers if they browse to that event, potentially resulting in the theft of session tokens from users with higher permission levels or forcing users to make actions without their knowledge. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** The issue involves improper neutralization of input during web page generation. This allows an unauthenticated attacker to submit malicious Javascript as an answer to a questionnaire. When an authenticated user reviews the candidate's submission, the malicious Javascript is executed. This could be used to steal other users' cookies and force users to make actions without their knowledge. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenCATS (affected versions not specified) **Description** The issue is related to an open redirect vulnerability that exposes OpenCATS to template injection. This occurs due to improper validation of user-supplied GET parameters. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Eyes of Network (affected versions not specified) **Description** The issue is related to improper neutralization of input during web page generation, making the Eyes of Network web application susceptible to cross-site scripting attacks. This can occur at specific API endpoints such as "/module/admin notifiers/rules.php" and "/module/report event/indext.php" via the parameters `rule notification`, `rule name`, and `rule name old`, and at "/module/admin user/add modify user.php" via the parameters `user name` and `user email`. **Recommendations** For Eyes of Network, as a temporary workaround, consider restricting access to the vulnerable API endpoints "/module/admin notifiers/rules.php", "/module/report event/indext.php", and "/module/admin user/add modify user.php" to minimize the risk of exploitation. Avoid using the parameters `rule notification`, `rule name`, `rule name old`, `user name`, and `user email` in these endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Draytek VigorConnect version 1.6.0-B3 **Description** A local file inclusion vulnerability exists in the file download functionality of the `WebServlet` endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges. The issue is related to incorrect restriction of the directory path name with limited access. **Recommendations** For Draytek VigorConnect version 1.6.0-B3, as a temporary workaround, consider disabling the file download functionality of the `WebServlet` endpoint until a patch is available. Restrict access to the `WebServlet` endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Draytek VigorConnect version 1.6.0-B3 **Description** A local file inclusion vulnerability exists in the file download functionality of the "DownloadFileServlet" endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges. The issue is related to incorrect restriction of the directory path name with limited access. Exploitation of the vulnerability may allow a remote attacker to load arbitrary files with root privileges. **Recommendations** For Draytek VigorConnect version 1.6.0-B3, consider disabling the `DownloadFileServlet` endpoint until a patch is available to prevent exploitation. Restrict access to the file download functionality to minimize the risk of arbitrary file downloads. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: TCExam versions <= 14.8.1 Description: An exposure of sensitive information issue exists. If a password reset request is made for an email address not registered with a user, an 'unknown email' error appears. However, if the email is registered with a user, this error does not occur. A malicious actor could exploit this to enumerate email addresses of users. Recommendations: For TCExam versions <= 14.8.1, as a temporary workaround, consider modifying the password reset functionality to not disclose whether an email address is registered or not, until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TCExam versions prior to 14.8.4 **Description** A reflected cross-site scripting issue exists due to improper validation of the paths provided in the `f`, `d`, and `dir` parameters in `tce filemanager.php`. This could cause reflected XSS via the unsanitized output of the path supplied. An attacker could craft a malicious link which, if triggered by an administrator, could result in the attacker hijacking the victim's session or performing actions on their behalf. **Recommendations** For versions prior to 14.8.4, update to version 14.8.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the `tce filemanager.php` file to minimize the risk of exploitation. Avoid using the parameters `f`, `d`, and `dir` in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** TCExam versions prior to 14.8.5 **Description** A reflected cross-site scripting issue exists due to improper validation of paths provided in the `f`, `d`, and `dir` parameters in `tce select mediafile.php`. This could cause reflected XSS via unsanitized output of the supplied path. An attacker could craft a malicious link that, if triggered by an administrator, could result in session hijacking or actions performed on the victim's behalf. **Recommendations** For versions prior to 14.8.5, update to version 14.8.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the `tce select mediafile.php` file until a patch is available. Avoid using the parameters `f`, `d`, and `dir` in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** TCExam versions prior to 14.8.1 **Description** The issue is related to incorrect rendering of files as text/html when they start with a period. This can lead to cross-site scripting attacks. An attacker could upload a malicious JavaScript payload via the `tce select mediafile.php` endpoint, which would be triggered when another user views the file. The estimated number of potentially affected devices is not specified. **Recommendations** For versions prior to 14.8.1, update to a version that includes the fix for this issue to prevent exploitation. As a temporary workaround, consider restricting access to the `tce select mediafile.php` endpoint to minimize the risk of uploading malicious files.

**Name of the Vulnerable Software and Affected Versions** TCExam versions prior to 14.8.2 **Description** A stored cross-site scripting issue exists, allowing an attacker to upload a malicious JavaScript payload via `tce filemanager.php` with a filename starting with a period. This payload would be triggered when another user views the file, potentially leading to cross-site scripting attacks. The vulnerability is related to the incorrect rendering of files starting with a period as `text/html`. **Recommendations** For TCExam versions prior to 14.8.2, update to version 14.8.2 or later to resolve the issue. As a temporary workaround, consider restricting access to `tce filemanager.php` to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Racom's MIDGE Firmware version 4.4.40.105 Description: The issue allows attackers to view sensitive syslog events without authentication. This could potentially expose sensitive information. Recommendations: For Racom's MIDGE Firmware version 4.4.40.105, consider restricting access to syslog events until a patch is available. As a temporary workaround, limit the visibility of sensitive syslog events to authorized personnel only. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Racom's MIDGE Firmware version 4.4.40.105 Description: The issue in Racom's MIDGE Firmware allows for privilege escalation via the `configd` service. Recommendations: For version 4.4.40.105, consider restricting access to the `configd` service as a temporary workaround until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: Racom's MIDGE Firmware version 4.4.40.105 Description: The issue in Racom's MIDGE Firmware allows users to escape the provided command line interface and execute arbitrary OS commands. Recommendations: For version 4.4.40.105, consider restricting access to the command line interface until a patch is available. As a temporary workaround, limit the execution of arbitrary OS commands to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Racom's MIDGE Firmware version 4.4.40.105 Description: The issue in Racom's MIDGE Firmware allows for cross-site request forgeries. This means an attacker could potentially trick a user into performing unintended actions on a web application. Recommendations: For version 4.4.40.105, consider implementing additional security measures to prevent cross-site request forgeries, such as validating requests to ensure they come from an expected source. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: MIDGE Firmware version 4.4.40.105 Description: The issue allows attackers to access and delete files arbitrarily via an authenticated directory traversal. Recommendations: For MIDGE Firmware version 4.4.40.105, consider restricting access to sensitive directories and files as a temporary workaround until a patch is available.

Name of the Vulnerable Software and Affected Versions: Racom's MIDGE Firmware version 4.4.40.105 Description: The issue allows attackers to conduct cross-site scripting attacks via the "sms.php" dialogs. Recommendations: For Racom's MIDGE Firmware version 4.4.40.105, consider restricting access to the "sms.php" dialogs until a patch is available. As a temporary workaround, avoid using the vulnerable dialogs to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: Racom's MIDGE Firmware version 4.4.40.105 Description: The issue allows attackers to conduct cross-site scripting attacks via the "virtualization.php" dialogs. This can potentially lead to unauthorized access or control of the system. Recommendations: For Racom's MIDGE Firmware version 4.4.40.105, consider restricting access to the "virtualization.php" dialogs until a patch is available. As a temporary workaround, avoid using the vulnerable dialogs to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.