Eric Salario

**Name of the Vulnerable Software and Affected Versions** SmartFTP Client version 10.0.2909.0 **Description** SmartFTP Client is susceptible to multiple denial of service issues. An attacker can cause the application to crash by providing specially crafted input. This can be achieved by submitting malformed paths, utilizing invalid IP addresses, or clearing the connection history within the client interface. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Mitel 6869i versions 4.5.0.41 and earlier Mitel 6869i versions 5.x through 5.0.0.1018 Description: A command injection issue exists in the `hostname` parameter taken in by the "provis.html" endpoint. The "provis.html" endpoint performs no sanitization on the `hostname` parameter, which is subsequently written to disk. During boot, the `hostname` parameter is executed as part of a series of shell commands. Attackers can achieve remote code execution in the root context by placing shell metacharacters in the `hostname` parameter. Recommendations: For Mitel 6869i versions 4.5.0.41 and earlier, consider disabling access to the "provis.html" endpoint until a patch is available. For Mitel 6869i versions 5.x through 5.0.0.1018, restrict the use of the `hostname` parameter in the "provis.html" endpoint to minimize the risk of exploitation. As a temporary workaround, consider implementing input validation and sanitization for the `hostname` parameter to prevent command injection attacks.