Heitor Gouvêa

**Name of the Vulnerable Software and Affected Versions** MISP versions prior to 2.4.134 **Description** The issue allows for Server-Side Request Forgery (SSRF) in the REST client. This is achieved via the `use full path` parameter with an arbitrary URL. **Recommendations** For versions prior to 2.4.134, update to version 2.4.134 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `use full path` parameter in the REST client until a patch is available.

**Name of the Vulnerable Software and Affected Versions** D-Link DIR-610 devices (affected versions not specified) **Description** The issue allows information disclosure via the `SERVICES=DEVICE.ACCOUNT%0AAUTHORIZED GROUP=1` parameter to the "getcfg.php" endpoint. This affects products that are no longer supported by the maintainer. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DIR-610 devices (affected versions not specified) **Description** The issue allows for Remote Command Execution via the `cmd` parameter to "command.php". This is due to the lack of measures to neutralize special elements used in the operating system command. An attacker can exploit this to execute arbitrary commands remotely. The vulnerability only affects products that are no longer supported by the maintainer. **Recommendations** For D-Link DIR-610 devices, as a temporary workaround, consider disabling access to the "command.php" file until a patch is available. Restrict access to the `cmd` parameter in the "command.php" file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.