Edward Warren

Name of the Vulnerable Software and Affected Versions: KuWFi GC111 versions GC111-GL-LM321 V3.0 20191211 Description: The KuWFi GC111 device is susceptible to unauthorized command execution. A crafted POST request to the `/goform/goform set cmd process` API endpoint, utilizing the `SSID` parameter, allows remote attackers to execute arbitrary OS commands with root privileges. Recommendations: For KuWFi GC111 version GC111-GL-LM321 V3.0 20191211, restrict access to the `/goform/goform set cmd process` API endpoint. For KuWFi GC111 version GC111-GL-LM321 V3.0 20191211, sanitize or validate the `SSID` parameter to prevent command injection.

**Name of the Vulnerable Software and Affected Versions** com.enflick.android.tn2ndLine versions through 24.17.1.0 **Description** The com.enflick.android.tn2ndLine application for Android allows any installed application, without requiring permissions, to initiate phone calls without user interaction. This is achieved by sending a crafted intent to the `com.enflick.android.TextNow.activities.DialerActivity` component. **Recommendations** Update com.enflick.android.tn2ndLine to a version later than 24.17.1.0.

**Name of the Vulnerable Software and Affected Versions** Tuoshi/Dionlink LT15D 4G Wi-Fi devices version M7628NNxlSPv2xUI v1.0.1802.10.08 P4 Tuoshi/Dionlink LT21B devices version M7628xUSAxUIv2 v1.0.1481.15.02 P0 **Description** An issue allows a remote attacker with network access to exploit a command injection vulnerability. The "/goform/formJsonAjaxReq" endpoint fails to sanitize shell metacharacters sent via JSON parameters, thus allowing attackers to execute arbitrary OS commands with root privileges. **Recommendations** For Tuoshi/Dionlink LT15D 4G Wi-Fi devices version M7628NNxlSPv2xUI v1.0.1802.10.08 P4, consider restricting access to the "/goform/formJsonAjaxReq" endpoint until a patch is available. For Tuoshi/Dionlink LT21B devices version M7628xUSAxUIv2 v1.0.1481.15.02 P0, consider restricting access to the "/goform/formJsonAjaxReq" endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** NRadio N8-180 NROS version 1.9.2.n3.c5 **Description** An issue was discovered in NRadio devices, where the "/cgi-bin/luci/nradio/basic/radio" endpoint is vulnerable to XSS via the `2.4 GHz` and `5 GHz` name parameters. This allows an attacker to execute JavaScript within the context of the current user by injecting JavaScript into the `SSID` field. If an administrator logs into the device, the injected script runs in their browser, executing the malicious payload. **Recommendations** For NRadio N8-180 NROS version 1.9.2.n3.c5, as a temporary workaround, consider disabling access to the "/cgi-bin/luci/nradio/basic/radio" endpoint until a patch is available. Restrict the use of the `2.4 GHz` and `5 GHz` name parameters in this endpoint to minimize the risk of exploitation. Avoid using the `SSID` field in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: TextNow: Call + Text Unlimited version 24.17.0.2 Description: The issue allows any installed application, without requiring permissions, to place phone calls without user interaction. This is achieved by sending a crafted intent via the `com.enflick.android.TextNow.activities.DialerActivity` component. Recommendations: For version 24.17.0.2, consider restricting access to the `com.enflick.android.TextNow.activities.DialerActivity` component to prevent unauthorized phone calls until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NRadio N8-180 NROS version 1.9.2.n3.c5 **Description** A problem was discovered in NRadio devices, where the "/cgi-bin/luci/nradio/basic/radio" endpoint is vulnerable to command injection through the `2.4 GHz` and `5 GHz` name parameters. This allows a remote attacker to execute arbitrary OS commands on the device with root-level permissions via crafted input. **Recommendations** For NRadio N8-180 NROS version 1.9.2.n3.c5, as a temporary workaround, consider disabling access to the "/cgi-bin/luci/nradio/basic/radio" endpoint until a patch is available. Restrict the use of the `2.4 GHz` and `5 GHz` name parameters in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** com.callerscreen.colorphone.themes.callflash (also known as Color Call Theme & Call Screen) versions 1.0.7 and earlier **Description** The issue allows any application to place phone calls without user interaction by sending a crafted intent via the `com.android.call.color.app.activities.DialerActivity` component. This enables unauthorized phone calls, potentially leading to security breaches. **Recommendations** For versions 1.0.7 and earlier, as a temporary workaround, consider disabling the `com.android.call.color.app.activities.DialerActivity` component until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** com.windymob.callscreen.ringtone.callcolor.colorphone (aka Color Phone Call Screen Themes) versions 1.1.2 and earlier **Description** The issue allows any application to place phone calls without user interaction by sending a crafted intent via the `com.frovis.androidbase.call.DialerActivity` component. This enables unauthorized call placement. **Recommendations** For versions 1.1.2 and earlier, as a temporary workaround, consider restricting access to the `com.frovis.androidbase.call.DialerActivity` component until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** com.glitter.caller.screen versions 1.1 and earlier **Description** The issue allows any application to place phone calls without user interaction by sending a crafted intent via the com.glitter.caller.screen.DialerActivity component. This enables unauthorized call execution. **Recommendations** For versions 1.1 and earlier, as a temporary workaround, consider disabling the `com.glitter.caller.screen.DialerActivity` component until a patch is available. Restrict access to the `com.glitter.caller.screen` application to minimize the risk of exploitation. Avoid using the `com.glitter.caller.screen` application for making phone calls until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** com.callos14.callscreen.colorphone (also known as iCall OS17 - Color Phone Flash) versions 4.3 and earlier **Description** The issue allows any application to place phone calls without user interaction by sending a crafted intent via the `com.callos14.callscreen.colorphone.DialerActivity` component. This enables unauthorized phone call execution. **Recommendations** For versions 4.3 and earlier, as a temporary workaround, consider disabling the `com.callos14.callscreen.colorphone.DialerActivity` component until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** com.remi.colorphone.callscreen.calltheme.callerscreen (aka Color Phone: Call Screen Theme) versions through 21.1.9 for Android **Description** The issue allows any application to place phone calls without user interaction by sending a crafted intent via the `com.remi.colorphone.callscreen.calltheme.callerscreen.dialer.DialerActivity` component. This enables unauthorized call execution. **Recommendations** For versions through 21.1.9, consider disabling the `com.remi.colorphone.callscreen.calltheme.callerscreen.dialer.DialerActivity` component until a patch is available to prevent unauthorized call execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** com.asianmobile.callcolor (aka Color Phone Call Screen App) version 24 for Android **Description** The issue allows any application to place phone calls without user interaction by sending a crafted intent via the `com.asianmobile.callcolor.ui.component.call.CallActivity` component. This enables unauthorized phone calls to be made without requiring any permissions. **Recommendations** For version 24, consider disabling the `com.asianmobile.callcolor.ui.component.call.CallActivity` component to prevent unauthorized phone calls until a patch is available. Restrict access to this component to minimize the risk of exploitation. Avoid using the application until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** com.grice.call application version 4.5.2 **Description** The issue allows any installed application, even those without permissions, to place phone calls without user interaction by sending a crafted intent via the `com.iui.mobile.presentation.MobileActivity`. This enables unauthorized phone calls, potentially leading to security breaches or unwanted charges. **Recommendations** For version 4.5.2, consider disabling the `com.iui.mobile.presentation.MobileActivity` until a patch is available to prevent unauthorized phone calls. Restrict access to the application's functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Mister org.mistergroup.shouldianswer version 1.4.264 **Description** The issue allows any installed application, without requiring permissions, to initiate phone calls without user interaction. This is achieved by sending a crafted intent via the `org.mistergroup.shouldianswer.ui.default dialer.DefaultDialerActivity` component. **Recommendations** For version 1.4.264, consider restricting access to the `org.mistergroup.shouldianswer.ui.default dialer.DefaultDialerActivity` component to prevent unauthorized phone calls until a patch is available.

Name of the Vulnerable Software and Affected Versions: Victure RX1800 WiFi 6 Router version EN V1.0.0 r12 110933 Description: An issue was discovered in Victure RX1800 WiFi 6 Router devices, where certain "/cgi-bin/luci/admin" endpoints are vulnerable to command injection. Attackers can exploit this by sending crafted payloads through parameters intended for the ping utility, enabling arbitrary command execution with root-level permissions on the device. Recommendations: For version EN V1.0.0 r12 110933, as a temporary workaround, consider restricting access to the "/cgi-bin/luci/admin" endpoints to minimize the risk of exploitation. Avoid using parameters intended for the ping utility in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Victure RX1800 WiFi 6 Router version EN V1.0.0 r12 110933 Description: A problem was discovered in Victure RX1800 WiFi 6 Router devices. The "/cgi-bin/luci/admin/opsw/Dual freq un apple" endpoint is vulnerable to command injection through the `name` parameters of 2.4 GHz and 5 GHz, allowing an attacker to execute arbitrary commands on the device with root-level permissions via crafted input. Recommendations: For Victure RX1800 WiFi 6 Router version EN V1.0.0 r12 110933, as a temporary workaround, consider disabling access to the "/cgi-bin/luci/admin/opsw/Dual freq un apple" endpoint until a patch is available. Restrict input for the `name` parameters of 2.4 GHz and 5 GHz frequencies to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Victure RX1800 WiFi 6 Router version EN V1.0.0 r12 110933 Description: A problem was discovered in Victure RX1800 WiFi 6 Router devices, where a remote attacker in proximity to a Wi-Fi network can derive the default Wi-Fi PSK value via the last 4 octets of the BSSID. Recommendations: For version EN V1.0.0 r12 110933, consider changing the default Wi-Fi PSK value to a unique and strong password to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Victure RX1800 WiFi 6 Router version EN V1.0.0 r12 110933 Description: A problem was discovered in Victure RX1800 WiFi 6 Router devices where the TELNET service is enabled by default with `admin`/`admin` as default credentials and is exposed over the LAN. This allows attackers to execute arbitrary commands with root-level permissions. The device setup does not require this password to be changed during setup in order to utilize the device. However, the TELNET password is dictated by the current GUI password. Recommendations: To resolve the issue, change the default TELNET password to a strong and unique password. As a temporary workaround, consider disabling the TELNET service until a patch is available. Additionally, ensure that the GUI password is also changed to a strong and unique password, as it dictates the TELNET password.

Name of the Vulnerable Software and Affected Versions: Victure RX1800 WiFi 6 Router version EN V1.0.0 r12 110933 Description: A problem was discovered in Victure RX1800 WiFi 6 Router devices. The TELNET service is enabled by default and exposed over the LAN. The root account is accessible without a password, allowing attackers to achieve full control over the router remotely without any authentication. Recommendations: For version EN V1.0.0 r12 110933, consider disabling the TELNET service to prevent unauthorized access until a patch is available. Restrict access to the LAN to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** EnGenius EWS356-FIR versions 1.1.30 and earlier **Description** The issue allows a remote attacker to execute arbitrary OS commands via the `Controller connectivity parameter`. This enables the attacker to gain unauthorized access and control over the system. **Recommendations** For EnGenius EWS356-FIR versions 1.1.30 and earlier, consider disabling the `Controller connectivity parameter` until a patch is available to prevent remote attackers from executing arbitrary OS commands. At the moment, there is no information about a newer version that contains a fix for this vulnerability.