H0E4A0R1T

**Name of the Vulnerable Software and Affected Versions** Altenergy Power Control Software versions up to 20241108 **Description** A critical vulnerability has been found in the Altenergy Power Control Software, affecting the `get status zigbee` function of the file `/index.php/display/status zigbee`. The manipulation of the `date` argument leads to SQL injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. **Recommendations** For Altenergy Power Control Software versions up to 20241108, as a temporary workaround, consider disabling the `get status zigbee` function until a patch is available. Restrict access to the `/index.php/display/status zigbee` endpoint to minimize the risk of exploitation. Avoid using the `date` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Altenergy Power Control Software versions up to 20241108 **Description** A critical issue has been found in the software, affecting some unknown processing of the file /index.php/display/database/, leading to improper authorization. The attack may be initiated remotely. Other endpoints might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way. **Recommendations** For versions up to 20241108, as a temporary workaround, consider restricting access to the /index.php/display/database/ endpoint until a patch is available. Avoid using this endpoint remotely to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 version 3.90 **Description** A critical issue affects the `sslvpn config mod` function of the `/vpn/list ip network.php` file in the Web Interface component. The manipulation of the `template` and `stylenum` arguments leads to os command injection. This issue can be exploited remotely. **Recommendations** For Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 version 3.90, as a temporary workaround, consider disabling the `sslvpn config mod` function until a patch is available. Restrict access to the `/vpn/list ip network.php` file to minimize the risk of exploitation. Avoid using the `template` and `stylenum` arguments in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 version 3.90 **Description** A critical issue affects the function `sslvpn config mod` of the file `/vpn/vpn template style.php` in the Web Interface component. The manipulation of the argument `template/stylenum` leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 version 3.90, as a temporary workaround, consider disabling the `sslvpn config mod` function until a patch is available. Restrict access to the `/vpn/vpn template style.php` file to minimize the risk of exploitation. Avoid using the `template/stylenum` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Raisecom MSG1200, MSG2100E, MSG2200, and MSG2300 version 3.90 **Description** A critical issue affects the `sslvpn config mod` function of the `/vpn/list service manage.php` file in the Web Interface component. The manipulation of the `template` and `stylenum` arguments leads to OS command injection. This can be initiated remotely. The issue has been publicly disclosed and may be exploited. **Recommendations** For Raisecom MSG1200, MSG2100E, MSG2200, and MSG2300 version 3.90, consider disabling the `sslvpn config mod` function as a temporary workaround until a patch is available. Restrict access to the `/vpn/list service manage.php` file to minimize the risk of exploitation. Avoid using the `template` and `stylenum` arguments in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 version 3.90 **Description** The issue is related to the function `sslvpn config mod` of the file `/vpn/list vpn web custom.php` in the web interface of the affected devices. It is caused by the failure to neutralize special elements used in the command when processing the `template` and `stylenum` parameters. This can lead to OS command injection, allowing a remote attacker to execute arbitrary commands. The attack can be initiated remotely. **Recommendations** For Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 version 3.90, as a temporary workaround, consider disabling the `sslvpn config mod` function until a patch is available. Restrict access to the `/vpn/list vpn web custom.php` file to minimize the risk of exploitation. Avoid using the `template` and `stylenum` parameters in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ruijie RG-UAC up to 20240516 **Description** A critical issue affects some unknown functionality of the file /view/vpn/autovpn/sub commit.php, allowing for os command injection through the manipulation of the `key` argument. This can be exploited remotely. The issue has been publicly disclosed and may be used by attackers. **Recommendations** For Ruijie RG-UAC up to 20240516, as a temporary workaround, consider restricting access to the /view/vpn/autovpn/sub commit.php file until a patch is available. Avoid using the `key` argument in the affected file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ruijie RG-UAC versions up to 20240516 **Description** A critical issue affects an unknown functionality of the file /view/vpn/autovpn/online check.php, allowing for os command injection through the manipulation of the `peernode` argument. This can be exploited remotely. The issue has been publicly disclosed and may be used by attackers. **Recommendations** For Ruijie RG-UAC versions up to 20240516, consider disabling the /view/vpn/autovpn/online check.php file or restricting access to it until a patch is available. Additionally, avoid using the `peernode` argument in the affected file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ruijie RG-UAC versions up to 20240516 **Description** A critical issue affects the processing of the file /view/systemConfig/sys user/user commit.php, allowing for os command injection through the manipulation of the `email2/user name` argument. This can be exploited remotely. The issue has been publicly disclosed and may be used by attackers. **Recommendations** For Ruijie RG-UAC versions up to 20240516, as a temporary workaround, consider restricting access to the /view/systemConfig/sys user/user commit.php file and avoid using the `email2/user name` argument in this context until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ruijie RG-UAC up to 20240516 **Description** A critical issue has been found in the file /view/vpn/autovpn/online.php, where the manipulation of the `peernode` argument leads to os command injection. This allows an attacker to launch the attack remotely and execute arbitrary commands. The exploit has been disclosed to the public. **Recommendations** For Ruijie RG-UAC up to 20240516, as a temporary workaround, consider restricting access to the /view/vpn/autovpn/online.php file to minimize the risk of exploitation. Avoid using the `peernode` argument in the affected file until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ruijie RG-UAC versions up to 20240516 **Description** The issue exists due to the lack of measures to neutralize special elements used in the operating system command. This allows a remote attacker to execute arbitrary commands by manipulating the `phyport` argument in the `addVlan` function of the `/view/networkConfig/vlan/vlan add commit.php` file, leading to os command injection. The exploit has been disclosed to the public and may be used. **Recommendations** For versions up to 20240516, as a temporary workaround, consider restricting access to the `/view/networkConfig/vlan/vlan add commit.php` file until a patch is available. Avoid using the `phyport` argument in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Huashi Private Cloud CDN Live Streaming Acceleration Server up to 20240520 **Description** A critical issue has been found, affecting an unknown function of the file /manager/ipconfig new.php. The manipulation of the `dev` argument leads to os command injection, allowing for remote attacks. **Recommendations** For Huashi Private Cloud CDN Live Streaming Acceleration Server up to 20240520, as a temporary workaround, consider restricting access to the /manager/ipconfig new.php file until a patch is available. Avoid using the `dev` argument in the affected file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Arris VAP2500 version 08.50 **Description** A critical issue has been found in the Arris VAP2500, affecting an unknown functionality of the file /assoc table.php. The manipulation of the `id` argument leads to command injection. This issue can be exploited remotely. **Recommendations** For Arris VAP2500 version 08.50, as a temporary workaround, consider restricting access to the /assoc table.php file until a patch is available. Avoid using the `id` argument in the affected file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Arris VAP2500 version 08.50 **Description** A critical issue affects some unknown functionality of the file /diag s.php. The manipulation of the `customer info` argument leads to command injection. The attack can be launched remotely. **Recommendations** For Arris VAP2500 version 08.50, as a temporary workaround, consider restricting access to the /diag s.php file until a patch is available. Avoid using the `customer info` argument in the affected file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Arris VAP2500 version 08.50 **Description** A critical issue has been discovered, affecting an unknown part of the file /tools command.php. The manipulation of the `cmb header/txt command` argument leads to command injection. It is possible to initiate the attack remotely. **Recommendations** For Arris VAP2500 version 08.50, consider restricting access to the /tools command.php file until a patch is available. As a temporary workaround, avoid using the `cmb header/txt command` argument in the affected file to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Wangshen SecGate 3600 versions up to 20240516 Description: A critical issue was found, affecting an unknown part of the file /?g=log import save. The manipulation of the `reqfile` argument leads to unrestricted upload. This issue can be initiated remotely. Recommendations: For versions up to 20240516, as a temporary workaround, consider restricting access to the `/?g=log import save` endpoint until a patch is available. Avoid using the `reqfile` argument in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** D-Link DAR-7000-40 version V31R02B1413C **Description** A critical issue has been found in the file /useratte/resmanage.php, allowing for unrestricted upload through the manipulation of the `file` argument. This can be exploited remotely, potentially leading to arbitrary code execution. The issue affects products that are no longer supported by the maintainer, and the vendor has confirmed that the product is end-of-life. **Recommendations** For D-Link DAR-7000-40 version V31R02B1413C, it is recommended to retire and replace the product as it is no longer supported by the maintainer. As a temporary workaround, consider restricting access to the /useratte/resmanage.php file to minimize the risk of exploitation. Avoid using the `file` argument in the affected file until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DAR-7000-40 version V31R02B1413C D-Link DAR-7000 (affected versions not specified) D-Link DAR-8000 (affected versions not specified) **Description** A critical vulnerability was found in the D-Link DAR-7000 and DAR-8000 routers, affecting an unknown functionality of the file /user/onlineuser.php. The manipulation of the `file upload` argument leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For D-Link DAR-7000-40 version V31R02B1413C: As the product is end-of-life, it should be retired and replaced. For D-Link DAR-7000 and DAR-8000: Since these products are no longer supported by the maintainer, they should be retired and replaced. As a temporary workaround, consider disabling the `/user/onlineuser.php` file to minimize the risk of exploitation. Restrict access to the `file upload` argument in the affected file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** D-Link DAR-7000-40 version V31R02B1413C **Description** A critical vulnerability has been found in the D-Link DAR-7000-40, affecting an unknown function of the file `interface/sysmanage/licenseauthorization.php`. The manipulation of the argument `file upload` leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This issue allows a remote attacker to execute arbitrary code. **Recommendations** As a temporary workaround, consider disabling the `file upload` argument in the `licenseauthorization.php` file until a patch is available. However, since the product is end-of-life, the vendor recommends retiring and replacing it with a supported version. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DAR-7000-40 version V31R02B1413C D-Link DAR-7000 (affected versions not specified) D-Link DAR-8000 (affected versions not specified) **Description** A critical issue affects an unknown part of the file /url/url.php, allowing for unrestricted upload through the manipulation of the `file upload` argument. This can be initiated remotely, potentially leading to the execution of arbitrary code. The exploit has been disclosed publicly. **Recommendations** For D-Link DAR-7000-40 version V31R02B1413C: Consider retiring and replacing the product as it is end-of-life. For D-Link DAR-7000 and D-Link DAR-8000: As these products are also affected but specific versions are not provided, it is recommended to check with the vendor for the latest information on retirement and replacement, given their end-of-life status. At the moment, there is no information about a newer version that contains a fix for this vulnerability.