Lcyf-Fizz

Name of the Vulnerable Software and Affected Versions: riscv-boom SonicBOOM versions through 2.2.3 Description: A timing discrepancy exists in the L1 Data Cache Handler component of the software. This issue is considered problematic and requires local access for exploitation, which is described as difficult. The vendor was contacted regarding this disclosure but did not respond. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOLINK X2000R version 1.0.0-B20230726.1108 **Description** The issue is related to a cross-site scripting vulnerability in the Virtual Server Page of the TOTOLINK X2000R router. This vulnerability can be exploited remotely by manipulating the `service type` argument, allowing an attacker to conduct cross-site scripting attacks. The exploit for this issue has been disclosed publicly. **Recommendations** For TOTOLINK X2000R version 1.0.0-B20230726.1108, as a temporary workaround, consider restricting access to the Virtual Server Page or disabling the manipulation of the `service type` argument until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOLINK X2000R version 1.0.0-B20230726.1108 **Description** A vulnerability was found in the Parent Controls Page component of the affected software. The issue arises from the manipulation of the `Device Name` argument, leading to cross-site scripting. This can be exploited remotely. **Recommendations** For TOTOLINK X2000R version 1.0.0-B20230726.1108, as a temporary workaround, consider restricting access to the Parent Controls Page until a patch is available. Avoid using the `Device Name` argument in the affected component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOLINK A3002RU version 2.1.1-B20230720.1011 **Description** The issue is related to the IP/Port Filtering module of the TOTOLINK A3002RU router's firmware, where the `Comment` parameter is not properly protected, leading to cross-site scripting (XSS) attacks. This can be exploited remotely. The vendor was contacted about the disclosure but did not respond. **Recommendations** As a temporary workaround, consider disabling the IP Port Filtering Page until a patch is available. Restrict access to the IP Port Filtering Page to minimize the risk of exploitation. Avoid using the `Comment` argument in the affected page until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOLINK A3002RU version 2.1.1-B20230720.1011 **Description** A vulnerability was found in the MAC Filtering Page component of the affected software. The issue arises from the manipulation of the `Comment` argument, leading to cross-site scripting. This can be exploited remotely. The vendor was contacted about the disclosure but did not respond. **Recommendations** For TOTOLINK A3002RU version 2.1.1-B20230720.1011, as a temporary workaround, consider restricting access to the MAC Filtering Page or disabling the functionality that allows manipulation of the `Comment` argument until a patch is available. Avoid using the `Comment` argument in the affected component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** TOTOLINK A3002RU version 2.1.1-B20230720.1011 **Description** A vulnerability was found in the NAT Mapping Page component of the affected software. The issue is related to the manipulation of the `Comment` argument, which leads to cross-site scripting. This can be exploited remotely. The vendor was contacted about the disclosure but did not respond. **Recommendations** For TOTOLINK A3002RU version 2.1.1-B20230720.1011, as a temporary workaround, consider restricting access to the NAT Mapping Page or disabling the manipulation of the `Comment` argument until a patch is available. Avoid using the `Comment` parameter in the affected page to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOLINK X2000R version 1.0.0-B20230726.1108 **Description** A critical issue exists in the TOTOLINK X2000R router related to insufficient input validation when processing the `peerRptPin` parameter. Exploitation of this issue can allow a remote attacker to execute arbitrary code by sending specially crafted POST requests to the `/boafrm/formWsc` API endpoint. The vulnerability leads to command injection. The exploit has been publicly disclosed and may be used. The vendor was contacted regarding this disclosure but did not respond. **Recommendations** For TOTOLINK X2000R version 1.0.0-B20230726.1108, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOLINK A3002RU version 2.1.1-B20230720.1011 **Description** A vulnerability was found in the Virtual Server Page component, specifically affecting the processing of the file /boafrm/formPortFw. The manipulation of the `service type` argument leads to cross-site scripting. This issue can be exploited remotely. **Recommendations** For TOTOLINK A3002RU version 2.1.1-B20230720.1011, as a temporary workaround, consider restricting access to the Virtual Server Page component until a patch is available. Avoid using the `service type` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOLINK X2000R version 1.0.0-B20230726.1108 **Description** A vulnerability was found in the TOTOLINK X2000R, affecting an unknown part of the file /boafrm/formFilter of the component URL Filtering Page. The manipulation of the `URL Address` argument leads to cross-site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond. **Recommendations** As a temporary workaround, consider disabling the URL Filtering Page until a patch is available. Restrict access to the `/boafrm/formFilter` file to minimize the risk of exploitation. Avoid using the `URL Address` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOLINK X2000R version 1.0.0-B20230726.1108 **Description** A critical issue has been found in the software, affecting some unknown functionality of the file /boafrm/formMapDel. The manipulation of the argument `devicemac1` leads to command injection. This issue can be exploited remotely. **Recommendations** For TOTOLINK X2000R version 1.0.0-B20230726.1108, as a temporary workaround, consider restricting access to the /boafrm/formMapDel file and avoid using the `devicemac1` argument in the affected functionality until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: D-Link DAP-2695 version 120b36r137 ALL en 20210528 Description: A vulnerability was found in the ARP Spoofing Prevention Page component, specifically in the file /adv arpspoofing.php. The manipulation of the `harp mac` argument leads to cross-site scripting. The attack can be initiated remotely. This issue affects products that are no longer supported by the maintainer. Recommendations: For D-Link DAP-2695 version 120b36r137 ALL en 20210528, as a temporary workaround, consider restricting access to the /adv arpspoofing.php file and avoiding the use of the `harp mac` argument in the ARP Spoofing Prevention Page until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: TOTOLINK A3002R version 2.1.1-B20230720.1011 Description: A problematic issue has been found in the VPN Page component of the affected software. The manipulation of the `Comment` argument leads to cross-site scripting. This issue can be exploited remotely. Recommendations: For TOTOLINK A3002R version 2.1.1-B20230720.1011, as a temporary workaround, consider restricting access to the VPN Page or avoiding the use of the `Comment` argument in this context until a patch is available.

Name of the Vulnerable Software and Affected Versions: D-Link DAP-2695 version 120b36r137 ALL en 20210528 Description: A vulnerability was found in the MAC Bypass Settings Page, specifically affecting the file /adv macbypass.php. The manipulation of the argument `f mac` leads to cross-site scripting. This issue can be exploited remotely. The vulnerability only affects products that are no longer supported by the maintainer. Recommendations: For D-Link DAP-2695 version 120b36r137 ALL en 20210528, as a temporary workaround, consider disabling access to the /adv macbypass.php file until a patch is available. Restrict the use of the `f mac` argument in the MAC Bypass Settings Page to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DAP-2695 version 120b36r137 ALL en 20210528 **Description** A vulnerability has been found in the Static Pool Settings Page component, specifically in the /adv dhcps.php file. The manipulation of the `f mac` argument leads to cross-site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. This issue only affects products that are no longer supported by the maintainer. **Recommendations** As a temporary workaround, consider disabling the `f mac` argument in the /adv dhcps.php file until a patch is available. Restrict access to the Static Pool Settings Page to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOLINK N150RT version 3.4.0-B20190525 **Description** A problematic issue has been found in the URL Filtering Page component, allowing for cross-site scripting through remote manipulation. The exploit has been publicly disclosed. **Recommendations** For TOTOLINK N150RT version 3.4.0-B20190525, consider restricting access to the URL Filtering Page as a temporary workaround until a patch is available. Avoid using the URL Filtering Page remotely to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** TOTOLINK N150RT version 3.4.0-B20190525 **Description** A vulnerability was found in the Virtual Server Page component, leading to cross-site scripting. The attack can be initiated remotely, and the exploit has been disclosed to the public. **Recommendations** As a temporary workaround, consider restricting access to the Virtual Server Page component until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOLINK N150RT version 3.4.0-B20190525 **Description** A critical vulnerability has been found in the TOTOLINK N150RT, affecting some unknown processing of the file /boafrm/formWsc. The manipulation of the `localPin` argument leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. **Recommendations** As a temporary workaround, consider restricting access to the /boafrm/formWsc file until a patch is available. Avoid manipulating the `localPin` argument in the affected file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GNU Binutils versions up to 2.44 **Description** A critical issue was found in GNU Binutils, affecting the `elf gc sweep` function of the `ld` component. This issue leads to memory corruption and can be exploited locally. The exploit has been disclosed publicly and may be used. **Recommendations** For GNU Binutils versions up to 2.44, upgrade to version 2.45 to address this issue. As a temporary workaround, consider disabling the `elf gc sweep` function until a patch is available. Restrict access to the `bfd/elflink.c` file to minimize the risk of exploitation. Avoid using the affected `ld` component until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** TOTOLINK N150RT version 3.4.0-B20190525 **Description** A vulnerability was found in the LAN Settings Page component, specifically in the /boafrm/fromStaticDHCP file. The manipulation of the `Hostname` argument leads to cross-site scripting. The attack can be launched remotely. **Recommendations** For version 3.4.0-B20190525, consider restricting access to the /boafrm/fromStaticDHCP file to minimize the risk of exploitation. Avoid using the `Hostname` argument in the affected LAN Settings Page until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOLINK N150RT version 3.4.0-B20190525 **Description** A problematic issue has been found, affecting an unknown function of the file /home.htm of the IP Port Filtering component. The manipulation of the `Comment` argument leads to cross-site scripting. This issue can be exploited remotely. **Recommendations** For TOTOLINK N150RT version 3.4.0-B20190525, as a temporary workaround, consider restricting access to the IP Port Filtering component to minimize the risk of exploitation. Avoid using the `Comment` argument in the affected component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.