Karn Ganeshen

**Name of the Vulnerable Software and Affected Versions** Python version 2.7.13 pgAdmin4 (affected versions not specified) **Description** A problematic issue was found, affecting the pgAdmin4 component. This issue leads to an uncontrolled search path and can be initiated remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For Python version 2.7.13, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For pgAdmin4, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Fuji Electric Energy Savings Estimator versions V.1.0.2.0 and prior **Description** An uncontrolled search path element, also known as DLL Hijacking, issue has been identified. This could allow an attacker to gain access to the system with the same level of privilege as the application using the malicious DLL. **Recommendations** For Fuji Electric Energy Savings Estimator versions V.1.0.2.0 and prior, update to a version that contains a fix for this issue, as using a vulnerable version may pose a significant risk. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cambium Networks cnPilot firmware versions 4.3.2-R4 and prior **Description** The issue affects the web administrative console of the firmware, where the 'ping' and 'traceroute' functions expose a file path traversal vulnerability. This vulnerability is accessible to all authenticated users. **Recommendations** For versions 4.3.2-R4 and prior, consider restricting access to the 'ping' and 'traceroute' functions of the web administrative console until a patch is available. As a temporary workaround, limit the use of the web administrative console to necessary personnel only. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cambium Networks cnPilot firmware versions 4.3.2-R4 and prior **Description** The issue concerns an undocumented, root-privilege administration web shell accessible via a specific HTTP path. This path is "https://<device-ip-or-hostname>/adm/syscmd.asp". **Recommendations** For versions 4.3.2-R4 and prior, consider restricting access to the "/adm/syscmd.asp" endpoint until a patch is available. As a temporary workaround, limit exposure by disabling remote access to the administration interface if possible. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cambium Networks cnPilot firmware versions 4.3.2-R4 and prior **Description** The issue allows access to sensitive information through the SNMP read-only community string by OID reference. **Recommendations** For versions 4.3.2-R4 and prior, consider restricting access to the SNMP read-only community string to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Cambium Networks ePMP firmware versions prior to 3.5 **Description** The issue allows all authenticated users to update the Device Name and System Description fields in the web administration console. These fields are vulnerable to persistent cross-site scripting (XSS) injection. **Recommendations** For versions prior to 3.5, update to version 3.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the web administration console to minimize the risk of exploitation. Avoid using the Device Name and System Description fields in the web administration console until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Cambium Networks ePMP firmware versions prior to 3.5 **Description** The issue allows an attacker who knows or can guess the RW community string to provide a URL for a configuration file over SNMP with XSS strings in certain SNMP OIDs. The attacker can serve this file via HTTP, and the affected device will perform a configuration restore using the attacker's supplied config file, including the inserted XSS strings. **Recommendations** For versions prior to 3.5, update to version 3.5 or later to resolve the issue. As a temporary workaround, consider restricting access to SNMP and limiting the use of the RW community string until a patch is available. Avoid using potentially malicious configuration files from untrusted sources.

**Name of the Vulnerable Software and Affected Versions** Cambium Networks ePMP firmware versions prior to 3.5 **Description** The issue allows an attacker who knows or guesses the SNMP read/write community string to insert XSS strings in certain SNMP OIDs, which will execute in the context of the currently logged-on user. **Recommendations** For versions prior to 3.5, update to a version 3.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the SNMP read/write community string to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Cambium Networks cnPilot firmware versions 4.3.2-R4 and prior **Description** The issue allows a low-privilege 'user' account to access the configuration file via direct object reference (DOR) at the "http://<device-ip-or-hostname>/goform/down cfg file" endpoint, despite this option not being available in the normal web administrative console. **Recommendations** For Cambium Networks cnPilot firmware versions 4.3.2-R4 and prior, as a temporary workaround, consider restricting access to the "/goform/down cfg file" endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cambium Networks cnPilot firmware versions 4.3.2-R4 and prior **Description** The issue is related to the lack of CSRF controls, which can be mitigated by implementing randomized per-session tokens associated with any web application function, especially destructive ones. This lack of control makes the system susceptible to CSRF attacks. **Recommendations** For versions 4.3.2-R4 and prior, consider implementing CSRF controls, such as randomized per-session tokens, to mitigate the effects of CSRF attacks. As a temporary workaround, restrict access to destructive web application functions until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Cambium Networks ePMP firmware versions prior to 3.5 **Description** The issue allows non-administrative users, specifically 'installer' and 'home', to change passwords for other accounts, including administrative ones, by bypassing a client-side protection mechanism. **Recommendations** For versions prior to 3.5, consider restricting access to the password change functionality for non-administrative users until a fix is available. As a temporary workaround, disable the ability for 'installer' and 'home' users to modify account passwords. Restrict access to the firmware configuration to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Cambium Networks ePMP firmware versions prior to 3.5 **Description** The issue is related to a lack of input sanitation for certain parameters on the web management console. This allows any authenticated user, including low-privilege readonly users, to inject shell meta-characters as part of a specially-crafted POST request to the `get chart` function and run OS-level commands, effectively as root. **Recommendations** For versions prior to 3.5, update to a version 3.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the web management console to minimize the risk of exploitation. Avoid using the `get chart` function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Progea Movicon versions prior to 11.5.1181 **Description** A security issue was found related to an unquoted search path or element. This could potentially allow a local user with authorization to insert arbitrary code into the service path, leading to privilege escalation. **Recommendations** For versions prior to 11.5.1181, update to a version that includes a fix for this issue to prevent potential privilege escalation.

**Name of the Vulnerable Software and Affected Versions** ZTE ADSL ZXV10 W300 modems versions W300V2.1.0f ER7 PE O57 through W300V2.1.0h ER7 PE O57 **Description** The issue allows user accounts to have multiple valid `username` and `password` pairs. This enables remote authenticated users to login to a target account via any of its `username` and `password` pairs. **Recommendations** For versions W300V2.1.0f ER7 PE O57 through W300V2.1.0h ER7 PE O57, consider restricting access to user accounts to minimize the risk of exploitation by ensuring each account has a unique `username` and `password` pair. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ZTE ADSL ZXV10 W300 modems versions W300V2.1.0f ER7 PE O57 through W300V2.1.0h ER7 PE O57 **Description** The issue allows remote authenticated non-administrator users to change the admin password. This is achieved by intercepting an outgoing password change request and modifying the `username` parameter from `support` to `admin`. **Recommendations** For versions W300V2.1.0f ER7 PE O57 through W300V2.1.0h ER7 PE O57, as a temporary workaround, consider restricting access to the password change functionality to prevent unauthorized admin password changes. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ZTE ADSL ZXV10 W300 modems versions W300V2.1.0f ER7 PE O57 through W300V2.1.0h ER7 PE O57 **Description** The issue allows remote authenticated users to obtain user passwords by displaying user information in a Telnet connection. **Recommendations** For versions W300V2.1.0f ER7 PE O57 through W300V2.1.0h ER7 PE O57, consider restricting Telnet access to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SpiderControl SCADA Web Server (affected versions not specified) **Description** A Directory Traversal issue was discovered, allowing an attacker to potentially use a simple GET request to perform a directory traversal into system files, leading to information disclosure. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SpiderControl SCADA MicroBrowser versions 1.6.30.144 and prior **Description** A Stack-based Buffer Overflow issue was discovered. Opening a maliciously crafted html file may cause a stack overflow. **Recommendations** For SpiderControl SCADA MicroBrowser versions 1.6.30.144 and prior, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WAGO IO 750-849 version 01.01.27 WAGO IO 750-881 version 01.02.05 **Description** The issue is related to the lack of privilege separation. **Recommendations** For WAGO IO 750-849 version 01.01.27, consider implementing additional access controls to minimize the risk of exploitation. For WAGO IO 750-881 version 01.02.05, restrict access to sensitive areas of the system to reduce the potential impact of the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WAGO IO 750-849 versions 01.01.27 through 01.02.05 WAGO IO 750-881 WAGO IO 758-870 **Description** The issue is related to weak credential management. **Recommendations** For WAGO IO 750-849 versions 01.01.27 through 01.02.05, update the credential management system to enforce strong passwords and consider implementing additional authentication measures. For WAGO IO 750-881, improve credential storage and transmission to prevent unauthorized access. For WAGO IO 758-870, enhance the authentication process to mitigate the risk of weak credentials being exploited.