Kaixiang Zhang

**Name of the Vulnerable Software and Affected Versions** D-Link DIR-868L versions DIR868LA1 FW112b04 and earlier D-Link DIR-865L versions DIR-865L REVA FIRMWARE PATCH 1.08.B01 and earlier D-Link DIR-860L versions DIR860LA1 FW110b04 and earlier **Description** The issue allows remote attackers to read a cookie via a crafted `Treturn` parameter to the `soap.cgi` endpoint. This is due to an XSS vulnerability in the `htdocs/webinc/js/bsc sms inbox.php` file. **Recommendations** For D-Link DIR-868L versions DIR868LA1 FW112b04 and earlier, consider disabling access to the `soap.cgi` endpoint until a patch is available. For D-Link DIR-865L versions DIR-865L REVA FIRMWARE PATCH 1.08.B01 and earlier, restrict the use of the `Treturn` parameter in the `soap.cgi` endpoint to minimize the risk of exploitation. For D-Link DIR-860L versions DIR860LA1 FW110b04 and earlier, avoid using the `Treturn` parameter in the `soap.cgi` endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** D-Link DIR-868L versions DIR868LA1 FW112b04 and earlier D-Link DIR-865L versions DIR-865L REVA FIRMWARE PATCH 1.08.B01 and earlier D-Link DIR-860L versions DIR860LA1 FW110b04 and earlier **Description** The issue allows remote attackers to read a cookie via a crafted `deviceid` parameter to "soap.cgi". This is due to inadequate protection of the web page structure in the htdocs/webinc/js/adv parent ctrl map.php script of D-Link DIR-860L, DIR-865L, and DIR-868L routers. Exploitation of this issue may enable a remote attacker to conduct an XSS attack. **Recommendations** For D-Link DIR-868L versions DIR868LA1 FW112b04 and earlier, update to a version that fixes this issue. For D-Link DIR-865L versions DIR-865L REVA FIRMWARE PATCH 1.08.B01 and earlier, update to a version that fixes this issue. For D-Link DIR-860L versions DIR860LA1 FW110b04 and earlier, update to a version that fixes this issue. As a temporary workaround, consider restricting access to the vulnerable "soap.cgi" endpoint and the `deviceid` parameter until a patch is available.

**Name of the Vulnerable Software and Affected Versions** D-Link DIR-860L versions prior to DIR860LA1 FW110b04 D-Link DIR-865L versions prior to DIR-865L REVA FIRMWARE PATCH 1.08.B01 D-Link DIR-868L versions prior to DIR868LA1 FW112b04 **Description** The issue is related to improper input validation in the htdocs/webinc/body/bsc sms send.php script of D-Link router software. This can be exploited by a remote attacker to conduct an XSS attack via a specially crafted parameter for `soap.cgi`, potentially allowing the attacker to read cookies. **Recommendations** For D-Link DIR-860L versions prior to DIR860LA1 FW110b04, update to a version newer than DIR860LA1 FW110b04. For D-Link DIR-865L versions prior to DIR-865L REVA FIRMWARE PATCH 1.08.B01, update to a version newer than DIR-865L REVA FIRMWARE PATCH 1.08.B01. For D-Link DIR-868L versions prior to DIR868LA1 FW112b04, update to a version newer than DIR868LA1 FW112b04. As a temporary workaround, consider restricting access to the `soap.cgi` endpoint and the `receiver` parameter to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: D-Link DIR-868L versions prior to DIR868LA1 FW112b04 D-Link DIR-865L versions prior to DIR-865L REVA FIRMWARE PATCH 1.08.B01 D-Link DIR-880L versions prior to DIR-880L REVA FIRMWARE PATCH 1.08B04 D-Link DIR-860L versions prior to DIR860LA1 FW110b04 Description: The issue is related to the soapcgi main function in the soap.cgi script (/htdocs/cgibin/soap.cgi) of D-Link router microsoftware, which fails to neutralize special elements used in an operating system command. This allows a remote attacker to execute arbitrary OS commands using the `service` parameter. Recommendations: For D-Link DIR-868L versions prior to DIR868LA1 FW112b04, update to a version newer than DIR868LA1 FW112b04. For D-Link DIR-865L versions prior to DIR-865L REVA FIRMWARE PATCH 1.08.B01, update to a version newer than DIR-865L REVA FIRMWARE PATCH 1.08.B01. For D-Link DIR-880L versions prior to DIR-880L REVA FIRMWARE PATCH 1.08B04, update to a version newer than DIR-880L REVA FIRMWARE PATCH 1.08B04. For D-Link DIR-860L versions prior to DIR860LA1 FW110b04, update to a version newer than DIR860LA1 FW110b04. As a temporary workaround, consider restricting access to the vulnerable `soap.cgi` script until a patch is available. Avoid using the `service` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** libtiff versions prior to 4.0.6 **Description** The issue is related to the improper handling of data by the `TIFFFax3fillruns` function in the libtiff library. This can be exploited by remote attackers to cause a denial of service, resulting in a divide-by-zero error and application crash, via a crafted Tiff image. **Recommendations** For versions prior to 4.0.6, update to version 4.0.6 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `TIFFFax3fillruns` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** LibTIFF versions 4.0.6 and earlier **Description** The issue allows an attacker to cause a denial of service, specifically an out-of-bounds read, via vectors related to the `bytecounts[]` array variable. This is due to vulnerabilities in the `(1) cpStrips` and `(2) cpTiles` functions in the thumbnail tool. **Recommendations** For LibTIFF versions 4.0.6 and earlier, consider disabling the `cpStrips` and `cpTiles` functions in the thumbnail tool as a temporary workaround until a patch is available. Restrict access to the thumbnail tool to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LibTIFF versions 4.0.6 and earlier **Description** The issue allows remote attackers to cause a denial of service, specifically an out-of-bounds read, via vectors related to the `src` variable. This is related to the `setrow` function in the thumbnail tool. **Recommendations** For LibTIFF versions 4.0.6 and earlier, consider restricting access to the thumbnail tool until a patch is available. As a temporary workaround, avoid using the `setrow` function in the thumbnail tool to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LibTIFF versions 4.0.6 and earlier **Description** The issue allows remote attackers to cause a denial of service, specifically an out-of-bounds read, via vectors related to field tag matching in the tagCompare function. This is a problem related to the thumbnail tool in the affected software. **Recommendations** For LibTIFF versions 4.0.6 and earlier, consider disabling the tagCompare function in the thumbnail tool as a temporary workaround until a patch is available. Restrict access to the thumbnail tool to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LibTIFF versions 4.0.6 and earlier **Description** The issue allows remote attackers to cause a denial of service, specifically an out-of-bounds read, through vectors involving the `ma` variable in the TIFFWriteDirectoryTagLongLong8Array function. **Recommendations** For LibTIFF versions 4.0.6 and earlier, consider updating to a newer version to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libtiff versions 4.0.6 and earlier **Description** The issue is related to a buffer overflow in the `PixarLogDecode` function in `libtiff.so`, which can be exploited by attackers using a crafted TIFF file to cause a denial of service attack, resulting in a crash. This function is used in applications such as GNOME nautilus. **Recommendations** For libtiff versions 4.0.6 and earlier, update to a version later than 4.0.6 to resolve the issue. As a temporary workaround, consider restricting the use of crafted TIFF files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** libtiff versions 4.0.6 and earlier **Description** The issue is related to an out-of-bounds read in the PixarLogCleanup function in tif pixarlog.c. This allows remote attackers to crash the application by sending a crafted TIFF image to the rgb2ycbcr tool. **Recommendations** For libtiff versions 4.0.6 and earlier, consider updating to a newer version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.