Matteo Strada

**Name of the Vulnerable Software and Affected Versions** Music Player Daemon (MPD) versions prior to 0.24.11 **Description** A CRLF injection issue exists in the `xspf char data()` function within the XSPF playlist plugin. This occurs because Expat decodes XML numeric character references before the character data callback, allowing attackers to embed literal Carriage Return (CR) and Line Feed (LF) bytes in URI fields by providing a malicious XSPF playlist. Consequently, forged key-value lines can be injected via the `location` field into the state file writer and MPD protocol responses, specifically the 'playlistinfo', 'currentsong', and 'listplaylist' outputs. **Recommendations** Update to version 0.24.11 or later.

**Name of the Vulnerable Software and Affected Versions** Music Player Daemon (MPD) versions prior to 0.24.11 **Description** A stack buffer overflow exists in the `pcm unpack 24be()` function within `src/pcm/Pack.cxx`. This issue allows unauthenticated attackers to corrupt stack memory by triggering an off-by-one write in the PCM decoder plugin. By issuing two MPD commands that reference a malicious HTTP audio source, an attacker can cause the unpack loop to write 1366 entries into a 1365-entry buffer. This process overwrites four bytes past the array boundary with three attacker-controlled bytes from an HTTP response body, which can lead to daemon termination or potential code execution. **Recommendations** Update to version 0.24.11 or later.

**Name of the Vulnerable Software and Affected Versions** Music Player Daemon (MPD) versions prior to 0.24.11 **Description** A path traversal issue exists within the local storage plugin in the functions `LocalStorage::MapFSOrThrow()` and `LocalStorage::MapUTF8()`. The flaw occurs because the on-disk path is created by joining the storage root with a user-supplied URI as plain strings without canonicalization, allowing '..' segments to remain in the resolved path. An unauthenticated attacker can use the 'listfiles' command to enumerate names, sizes, and modification times of arbitrary directories readable by the MPD process, or the 'albumart' command to read image files in any directory outside the configured `music directory`. **Recommendations** Update to version 0.24.11 or later.

**Name of the Vulnerable Software and Affected Versions** Music Player Daemon (MPD) versions prior to 0.24.11 **Description** A server-side request forgery (SSRF) issue exists in the CurlInputPlugin. The `CURLOPT FOLLOWLOCATION` option is enabled without specifying `CURLOPT REDIR PROTOCOLS STR`, which allows unauthenticated attackers to bypass http/https scheme restrictions. By using a malicious HTTP server to redirect requests to non-HTTP protocols—such as gopher, ftp, sftp, ldap, dict, rtmp, or rtsp—attackers can interact with internal or restricted network services. This is possible on systems using libcurl versions prior to 7.85.0. The issue can be triggered via MPD commands that initiate URL fetches, specifically `add`, `readcomments`, `albumart`, `readpicture`, or `load`. **Recommendations** Update to version 0.24.11 or later.

**Name of the Vulnerable Software and Affected Versions** WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) **Description** An OS command injection issue exists in the `reboot time()` function of the 'adm.cgi' binary. Unauthenticated remote attackers can execute arbitrary shell commands by sending a crafted request containing shell metacharacters in the `reboot time` POST parameter when `reboot enabled` is set to 1. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WDR201A WiFi Extender HW V2.1, FW LFMZX28040922V1.02 **Description** A stack-based buffer overflow exists in the 'firewall.cgi' and 'makeRequest.cgi' binaries. Unauthenticated attackers can overwrite the saved return address by sending a POST request with a `Content-Length` header exceeding 512 bytes. This is caused by insufficient length validation in the `fgets()` function, which can lead to arbitrary code execution using return-oriented programming or return-to-libc techniques. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) **Description** An OS command injection issue exists in the `firewall.cgi` binary across five request handlers due to insufficient input validation. Attackers can inject arbitrary shell commands using subshell syntax or unfiltered parameters. The affected parameters include `websURLFilter`, `websHostFilter`, `portForward`, `singlePortForward`, and `ipportFilter`. Injected payloads persist in NVRAM and re-execute during every subsequent request to `firewall.cgi`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) **Description** An OS command injection issue exists in the 'wireless.cgi' binary. Unauthenticated remote attackers can execute arbitrary shell commands by injecting malicious input into the `sz11gChannel` or `PIN` POST parameters. This is possible due to unsanitized parameter handling within the `set wifi basic()` and `set wifi do wps()` functions. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) **Description** An OS command injection issue exists in the 'internet.cgi' binary. Unauthenticated remote attackers can execute arbitrary shell commands by injecting malicious input into the `gateway` POST parameter. This occurs due to unsanitized parameter concatenation within the `set add routing()` function, where commands are executed via `popen()`, and partial output is reflected in the HTTP response. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WDR201A WiFi Extender HW V2.1 FW LFMZX28040922V1.02 **Description** An OS command injection issue exists in the 'makeRequest.cgi' binary. Unauthenticated remote attackers can execute arbitrary shell commands by injecting malicious input into the `set time` or `StartSniffer` functions. This is achieved by crafting a POST request with ampersand-delimited parameters to bypass input sanitization, allowing command execution with a maximum length of 31 bytes via the `date` command or channel parameter processing. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ZIRA Group WBRM version 7.0 **Description** ZIRA Group WBRM version 7.0 is susceptible to a SQL Injection issue occurring in the `referenceLookupsByTableNameAndColumnName` function. The issue allows for potential manipulation of database queries through crafted input. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.