Lilith Wyatt

**Name of the Vulnerable Software and Affected Versions** Bitdefender BOX 2 (affected versions not specified) **Description** A OS Command Injection issue allows the manipulation of the `get image url()` function in special circumstances to inject a system command. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Bitdefender BOX 2 versions 2.1.47.42 through 2.1.53.45 **Description** A command injection issue has been found in the bootstrap stage of the affected software. The `/api/download image` API method unsafely handles the production firmware URL supplied by remote servers, allowing for the arbitrary execution of system commands. An unauthenticated attacker can exploit this condition by impersonating an infrastructure server. The vulnerability can be exploited by sending a malicious `full ws.tar.gz` file from a smartphone application and creating a fake `nimbus.bitdefender.net` server, enabling the attacker to execute arbitrary commands on the target system. **Recommendations** For versions 2.1.47.42 through 2.1.53.45, as a temporary workaround, consider restricting access to the `/api/download image` API endpoint until a patch is available. Additionally, avoid using the API method to handle URLs from untrusted sources. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Blynk-Library version 0.6.1 **Description** An information disclosure issue exists in the packet-parsing functionality. A specially crafted packet can cause an unterminated strncpy, resulting in information disclosure. An attacker can send a packet to trigger this issue. **Recommendations** For Blynk-Library version 0.6.1, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Nest Cam IQ Indoor version 4620002 **Description** An exploitable information disclosure issue exists in the Weave Legacy Pairing functionality. A set of specially crafted weave packets can cause an out of bounds read, resulting in information disclosure. An attacker can send packets to trigger this issue. **Recommendations** For Nest Cam IQ Indoor version 4620002, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Nest Cam IQ Indoor version 4620002 **Description** A denial-of-service issue exists in the Weave error reporting functionality. It can be triggered by a specially crafted weave packet, causing an arbitrary Weave Exchange Session to close. This results in a denial of service. An attacker can exploit this by sending a specially crafted packet. **Recommendations** For Nest Cam IQ Indoor version 4620002, consider disabling the Weave error reporting functionality as a temporary workaround until a patch is available. Restrict access to the Weave Exchange Session to minimize the risk of exploitation. Avoid using specially crafted weave packets in the affected functionality until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Zabbix Server versions 2.4.x Description: The issue allows specifically crafted trapper packets to bypass database logic checks, resulting in unauthorized database writes. This can be exploited by setting up a Man-in-the-Middle server to alter trapper requests between an active Zabbix proxy and Server. Recommendations: For Zabbix Server versions 2.4.x, at the moment, there is no information about a newer version that contains a fix for this vulnerability.