Kirubel

**Name of the Vulnerable Software and Affected Versions** Dbit N300 T1 Pro Easy Setup Wireless Wi-Fi Router version 1.0.0 **Description** The boa web server URI handler is susceptible to a Denial of Service. An attacker can trigger a kernel deadlock or system hang by sending a high-volume flood of HTTP GET requests to non-existent URIs, which exhausts memory buffers and file descriptors. This condition disables all routing capabilities and the web management portal. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

A Cross-Site Request Forgery (CSRF) vulnerability exists in the web management interface of the U-SPEED N300 Rounter V1.0.0. The device does not implement CSRF protection mechanisms such as anti-CSRF tokens or strict Origin/Referer validation for administrative API endpoints. An attacker can craft a malicious webpage that sends forged HTTP requests to configuration endpoints. If an authenticated administrator visits the malicious webpage, the victim's browser automatically includes the valid session cookie in the request, allowing the router to process the request as a legitimate administrative action.

**Name of the Vulnerable Software and Affected Versions** Dbit N300 T1 Pro Easy Setup Wireless Wi-Fi Router version V1.0.0 **Description** The Dbit N300 T1 Pro Easy Setup Wireless Wi-Fi Router version V1.0.0 does not implement rate limiting on the `/api/login` endpoint. This allows attackers to attempt brute-force password enumeration. The vulnerable parameter is the `password`. **Recommendations** Apply rate limiting to the `/api/login` endpoint to prevent brute-force attacks.