Julian Muñoz

**Name of the Vulnerable Software and Affected Versions** JetBrains Hub versions prior to 2022.1.14638 **Description** The issue allows for stored XSS via project icon. **Recommendations** For versions prior to 2022.1.14638, update to version 2022.1.14638 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** D-Link Central WiFi Manager versions prior to 1.03r0100-Beta1 **Description** The issue exists due to the lack of protection for the web page structure in the UpdateSite function of the D-Link Central WiFi Manager. This allows a remote attacker to inject arbitrary code into the loaded web page. The `sitename` parameter of the "UpdateSite" endpoint is vulnerable to stored XSS. **Recommendations** For versions prior to 1.03r0100-Beta1, update to version 1.03r0100-Beta1 or later to resolve the issue. As a temporary workaround, consider restricting access to the UpdateSite endpoint to minimize the risk of exploitation. Avoid using the `sitename` parameter in the UpdateSite endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** D-Link Central WiFi Manager versions prior to 1.03r0100-Beta1 **Description** The issue is related to an unrestricted file upload vulnerability in the "onUploadLogPic" endpoint, which allows remote authenticated users to execute arbitrary PHP code. This vulnerability can be exploited by a remote attacker to inject arbitrary HTML code. **Recommendations** For versions prior to 1.03r0100-Beta1, update to version 1.03r0100-Beta1 or later to resolve the issue. As a temporary workaround, consider restricting access to the "onUploadLogPic" endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** D-Link Central WiFi Manager versions prior to 1.03r0100-Beta1 **Description** An issue exists due to inadequate protection of the web page structure, allowing a remote attacker to inject arbitrary code into a loaded web page. The `username` parameter of the "addUser" endpoint is vulnerable to stored XSS. **Recommendations** For versions prior to 1.03r0100-Beta1, update to version 1.03r0100-Beta1 or later to resolve the issue. As a temporary workaround, consider restricting access to the "addUser" endpoint to minimize the risk of exploitation. Avoid using the `username` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** D-Link Central WiFi Manager versions prior to 1.03r0100-Beta1 **Description** The issue is related to the use of hardcoded credentials for the FTP service, which runs on port 9000. This allows a remote attacker to execute arbitrary PHP code by uploading a file to the web root directory and then accessing it. The hardcoded credentials used are `admin` for both the username and password. **Recommendations** For versions prior to 1.03r0100-Beta1, update to version 1.03r0100-Beta1 or later to resolve the issue. As a temporary workaround, consider changing the default FTP credentials and restricting access to the FTP server on port 9000 to minimize the risk of exploitation.