Fergod

**Name of the Vulnerable Software and Affected Versions** D-Link DGS-3420 version 1.50.018 **Description** An issue exists in the System Information Settings Page component where improper processing of the `System Name` argument allows for cross-site scripting (XSS), a technique where malicious scripts are injected into trusted websites. This flaw enables remote exploitation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Datacom DM4100 version 1.3.6.1.4.1.3709 **Description** A reflected cross-site scripting issue exists in the VLAN Page component. A remote attacker can manipulate the `VLAN Name` argument to execute malicious scripts in the context of a user's session. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BDCOM P3310D version 0.4.2 10.1.0F Build 86345 **Description** A weakness in the rmon event Tab component allows for remote cross-site scripting (XSS), which is a technique where malicious scripts are injected into trusted websites. This occurs through the manipulation of the `Description` parameter. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BIVOCOM TR321 version 21.1.1.50 **Description** A flaw in the Wireless Setting component allows for remote cross-site scripting (XSS), which is a technique where malicious scripts are injected into trusted websites. This occurs through the manipulation of the `Network Name SSID` argument. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Netis WF2419 version 1.2.29433 Description: A cross-site scripting issue exists in the Wireless Settings Page component, specifically within the `/index.htm` file. Manipulation of the `SSID` argument with the input `<img/src/onerror=prompt(8)>` triggers the vulnerability. Remote exploitation is possible, and the exploit has been publicly disclosed. The vendor was contacted regarding this disclosure but did not respond. Recommendations: As a temporary workaround, consider restricting or disabling the Wireless Settings Page until a fix is available.

Name of the Vulnerable Software and Affected Versions: JCG Link-net LW-N915R version 17s.20.001.908 Description: A vulnerability exists in the Wireless Basic Settings Page component of JCG Link-net LW-N915R version 17s.20.001.908. Manipulation of the `Network Name` argument in the `/wireless/basic.asp` file can lead to cross site scripting. The attack can be launched remotely. Recommendations: Sanitize the `Network Name` input to prevent the injection of malicious scripts. Restrict access to the `/wireless/basic.asp` file.

Name of the Vulnerable Software and Affected Versions: Datacom DM955 5GT 1200 version 825.8010.00 Description: A cross site scripting issue exists due to the manipulation of the `SSID` argument within the Wireless Basic Settings component. The attack can be launched remotely. The exploit has been disclosed to the public. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DCS-6010L version 1.15.03 **Description** A cross-site scripting issue exists due to the manipulation of the `paratest` argument within the `/vb.htm` file of the Management Application. The attack can be launched remotely. The exploit has been publicly disclosed. This issue affects products that are no longer supported by the maintainer. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Intelbras WRN 150 version 1.0.15 pt ITB01 **Description** A issue was found in the Wireless Menu component, where the manipulation of the `SSID` argument leads to cross-site scripting. This can be initiated remotely. The vendor has stated that the latest version is not affected. **Recommendations** For Intelbras WRN 150 version 1.0.15 pt ITB01, it is recommended to upgrade to a newer version to resolve the issue. As a temporary workaround, consider restricting access to the Wireless Menu component to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Castlenet CBW383G2N up to 20250301 Description: A vulnerability was found in the Wireless Menu component, specifically affecting the file /wlanPrimaryNetwork.asp. The issue arises from the manipulation of the `SSID` argument with malicious input, such as `<img/src/onerror=prompt(8)>`, leading to cross-site scripting. This can be initiated remotely. Other parameters might also be affected. The vendor was contacted about this disclosure but did not respond. Recommendations: For Castlenet CBW383G2N up to 20250301, as a temporary workaround, consider restricting access to the `/wlanPrimaryNetwork.asp` file until a patch is available. Avoid using the `SSID` argument in the affected Wireless Menu component until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Blizzard Battle.Net versions up to 2.39.0.15212 **Description** A critical issue was found in Blizzard Battle.Net, affecting some unknown functionality in the library profapi.dll. The manipulation leads to an uncontrolled search path. The attack needs to be approached locally and has a rather high complexity, making exploitation difficult. **Recommendations** For versions up to 2.39.0.15212, as a temporary workaround, consider restricting access to the profapi.dll library until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Edimax BR-6288ACL version 1.30 **Description** A vulnerability was found in the Edimax BR-6288ACL, affecting unknown code of the file wireless5g basic.asp. The manipulation of the `SSID` argument leads to cross-site scripting. The attack can be initiated remotely. The vendor was contacted about this disclosure but did not respond. **Recommendations** For Edimax BR-6288ACL version 1.30, as a temporary workaround, consider restricting access to the wireless5g basic.asp file until a patch is available. Avoid using the `SSID` argument in the affected file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FiberHome AN5506-01A ONU GPON RP2511 (affected versions not specified) **Description** A critical issue has been found in the Diagnosis component of the affected software, where the manipulation of the `Destination Address` argument leads to os command injection. This issue can be exploited remotely. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FiberHome AN5506-01A ONU GPON RP2511 (affected versions not specified) **Description** The issue concerns a cross-site scripting problem in the NAT Submenu Description of the FiberHome AN5506-01A ONU GPON RP2511. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: D-Link DIR-816 version 1.01TO Description: A vulnerability has been found in the D-Link DIR-816, affecting an unknown functionality of the file /cgi-bin/webproc?getpage=html/index.html&var:menu=24gwlan&var:page=24G basic. The manipulation of the `SSID` argument leads to cross-site scripting. The attack can be launched remotely. This vulnerability only affects products that are no longer supported by the maintainer. Recommendations: As a temporary workaround, consider disabling the `SSID` argument in the affected API endpoint until a patch is available. However, since the products are no longer supported by the maintainer, there is no information about a newer version that contains a fix for this vulnerability. Restrict access to the vulnerable file `/cgi-bin/webproc` to minimize the risk of exploitation. Avoid using the `SSID` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Kong Insomnia versions prior to 10.3.0 Description: A critical issue has been detected in Kong Insomnia, affecting some unknown processing in the library profapi.dll. The manipulation leads to an untrusted search path. An attack must be approached locally and has a rather high complexity. The exploitation is known to be difficult. The vendor was contacted early about this disclosure but did not respond in any way. Recommendations: For versions prior to 10.3.0, consider restricting access to the library profapi.dll to minimize the risk of exploitation until a patch is available. As a temporary workaround, avoid using any functions that may lead to an untrusted search path in the affected library. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Asus RT-N12E version 2.0.0.19 Description: A vulnerability was found in the Asus RT-N12E, classified as problematic. It affects an unknown function of the file sysinfo.asp. The manipulation of the `SSID` argument leads to cross-site scripting. This attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted about this disclosure but did not respond. Recommendations: For Asus RT-N12E version 2.0.0.19, as a temporary workaround, consider restricting access to the sysinfo.asp file until a patch is available. Avoid using the `SSID` argument in the affected function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Rise Group Rise Mode Temp CPU version 2.1 **Description** A critical issue has been found, affecting an unknown part of the CRYPTBASE.dll library in the Startup component. This leads to an untrusted search path, and the attack must be launched locally. **Recommendations** For version 2.1, consider restricting access to the CRYPTBASE.dll library to minimize the risk of exploitation. As a temporary workaround, avoid using any functionality that relies on the Startup component until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** obsproject OBS Studio versions up to 30.0.2 **Description** A vulnerability has been found in obsproject OBS Studio, affecting an unknown functionality. The manipulation leads to an untrusted search path. The attack needs to be approached locally and has a rather high complexity, making exploitation difficult. The vendor disagrees that this issue is worth reporting, as every attack surface requires privileged access or user compromise. **Recommendations** To fix this issue, it is recommended to apply a patch for versions up to 30.0.2. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** code-projects Local Storage Todo App version 1.0 **Description** A problem has been found in the code that affects the /js-todo-app/index.html file. The issue arises from the manipulation of the `Add` argument, leading to cross-site scripting. This can be initiated remotely. The exploit for this issue has been made public. **Recommendations** For code-projects Local Storage Todo App version 1.0, consider disabling the `Add` argument functionality until a patch is available to prevent cross-site scripting attacks. Restrict access to the /js-todo-app/index.html file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.