Geo-Chen

**Name of the Vulnerable Software and Affected Versions** FreeScout versions prior to 1.8.221 **Description** Non-admin users can permanently delete internal notes (private threads) from any conversation. This occurs because the `ThreadPolicy::delete` authorization policy fails to verify mailbox membership, allowing former team members to maintain destructive write access to notes they created even after their access to the mailbox has been revoked. **Recommendations** Update to version 1.8.221.

**Name of the Vulnerable Software and Affected Versions** FreeScout versions prior to 1.8.221 **Description** A flaw exists in the `ThreadPolicy::edit()` function where the system fails to verify current mailbox membership. A user possessing the `PERM EDIT CONVERSATIONS` permission who previously created a message or internal note in a specific mailbox can modify the body of that thread even after an administrator has removed them from that mailbox. This occurs because the policy only validates the user's authorship and a global permission flag, neglecting to check if the user is still a member of the mailbox. **Recommendations** Update to version 1.8.221.

**Name of the Vulnerable Software and Affected Versions** Marbella KR8s Dashcam FF version 2.0.8 **Description** An issue exists on Marbella KR8s Dashcam FF 2.0.8 devices where video recordings, containing sensitive data such as routes, conversations, and footage, are accessible for download. This is achieved by establishing a socket connection to command port 7777, followed by downloading video data via port 7778 and audio data via port 7779, after gaining access through default, common, or cracked passwords. **Recommendations** Change default or common passwords to strong, unique credentials. Restrict network access to ports 7777, 7778, and 7779.

**Name of the Vulnerable Software and Affected Versions** IROAD Dashcam FX2 (affected versions not specified) **Description** The IROAD Dashcam FX2 devices are affected by an issue where files can be dumped over HTTP and RTSP without authentication. The devices lack authentication controls on their HTTP and RTSP interfaces, allowing attackers to retrieve sensitive files and video recordings. An attacker can download all stored video recordings in an unencrypted manner by connecting to the ''http://192.168.10.1/mnt/extsd/event/'' endpoint. Additionally, the RTSP stream on port 8554 is accessible without authentication, enabling an attacker to view live footage. The vulnerable parameters are not explicitly mentioned. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: IROAD Dashcam FX2 devices (affected versions not specified) Description: An issue was discovered that allows an unauthenticated file upload, which can be used to execute arbitrary commands by uploading a CGI-based webshell. This enables an attacker to gain full control over the device with root privileges. Furthermore, uploading a netcat (nc) binary can establish a reverse shell, providing persistent remote and privileged access to the device, resulting in complete device takeover. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Thinkware Car Dashcam F800 Pro up to 20250226 **Description** A vulnerability was found in the Connection Handler component of the Thinkware Car Dashcam F800 Pro, which can be exploited to cause a denial of service. The attack can only be initiated within the local network and has a high complexity, making exploitation difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted about this disclosure but did not respond. **Recommendations** As a temporary workaround, consider restricting access to the Connection Handler component until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Thinkware Car Dashcam F800 Pro up to 20250226 **Description** A vulnerability was found in the Thinkware Car Dashcam F800 Pro, affecting some unknown processing of the file /tmp/hostapd.conf of the component Configuration File Handler. The manipulation leads to cleartext storage in a file or on disk. It is possible to launch the attack on the physical device. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. This issue poses significant security risks to users, including the exposure of sensitive Wi-Fi and cloud account credentials. Millions of devices worldwide may be affected. **Recommendations** As a temporary workaround, consider restricting access to the Configuration File Handler component until a patch is available. Avoid using the default factory passwords, and ensure that all passwords are changed to unique and strong credentials. Restrict access to the dashcam's RTSP feed to minimize the risk of unauthorized surveillance. There is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** YI Car Dashcam version 3.88 **Description** The issue is related to improper access control in the HTTP server, allowing unauthorized actions such as unrestricted file downloads and uploads. Additionally, API commands can be made to modify device settings without proper authorization, including disabling recording, disabling sounds, and performing a factory reset. **Recommendations** For YI Car Dashcam version 3.88, consider restricting access to the HTTP server and API commands until a patch is available. As a temporary workaround, avoid using the device's API for sensitive operations and limit access to the device's settings to prevent unauthorized modifications.

**Name of the Vulnerable Software and Affected Versions** phpMyFAQ versions 3.2.10 through 4.0.2 **Description** The issue allows an attacker to inject malicious HTML content into the FAQ editor at "http://localhost/admin/index.php?action=editentry", resulting in a complete disruption of the FAQ page's user interface. By injecting malformed HTML elements styled to cover the entire screen, an attacker can render the page unusable. This injection manipulates the page structure by introducing overlapping buttons, images, and iframes, breaking the intended layout and functionality. Exploiting this issue can lead to Denial of Service for legitimate users, damage to the user experience, and potential abuse in phishing or defacement attacks. **Recommendations** For versions 3.2.10 through 4.0.2, update to version 4.0.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the FAQ editor at "http://localhost/admin/index.php?action=editentry" until a patch is applied. Avoid using the FAQ editor until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** phpMyFAQ versions prior to 3.2.10 **Description** A vulnerability exists in the FAQ Record component where a privileged attacker can trigger a file download on a victim's machine upon page visit by embedding it in an iframe element without user interaction or explicit consent. This can be achieved by inserting an iframe as "source code" in a FAQ record, pointing to a prior "malicious" attachment uploaded by the attacker. The vulnerability allows malicious code or binaries to be dropped on visitors' machines when visiting the FAQ platform, potentially leading to the spread of malware such as worms or ransomware. **Recommendations** For versions prior to 3.2.10, update to version 3.2.10 to fix the issue. As a temporary workaround, consider restricting access to the FAQ Record component or disabling the ability to upload attachments until the update is applied. Additionally, avoid using the iframe element in FAQ records until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: phpMyFAQ versions prior to 4.0.0 Description: The issue exposes database server credentials when a connection to the database fails. This can occur when the database instance or server is unreachable, resulting in an error that reveals the credentials. For example, when the PostgreSQL server is down, an error is thrown, exposing the database credentials. A remote attacker can exploit this to gain full control over the database by performing a denial of service on the database instance or server, causing the credentials to be exposed. Recommendations: For versions prior to 4.0.0, update to version 4.0.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the database instance or server to minimize the risk of exploitation. Avoid using the `phpMyFAQSetupInstaller` class until the issue is resolved. Restrict access to the `http://<phpmyfaq-instance>:8080/setup/index.php` endpoint to prevent potential exploitation.