Maxim Suslov

**Name of the Vulnerable Software and Affected Versions** Cisco Unity Connection (affected versions not specified) **Description** A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system and execute commands on the underlying operating system. This vulnerability is due to a lack of authentication in a specific API and improper validation of user-supplied data. An attacker could exploit this vulnerability by uploading arbitrary files to an affected system. A successful exploit could allow the attacker to store malicious files on the system, execute arbitrary commands on the operating system, and elevate privileges to root. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zyxel NAS326 version V5.21(AAZF.14)C0 Zyxel NAS542 version V5.21(ABAG.11)C0 **Description** A command injection issue exists in the `show zysync server contents` function, allowing an unauthenticated attacker to execute some operating system commands by sending a crafted HTTP POST request. This is due to the lack of neutralization of special elements used in the operating system command. The exploitation of this issue may allow a remote attacker to execute arbitrary code. **Recommendations** For Zyxel NAS326 version V5.21(AAZF.14)C0, consider disabling the `show zysync server contents` function until a patch is available. For Zyxel NAS542 version V5.21(ABAG.11)C0, consider disabling the `show zysync server contents` function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zyxel NAS326 version V5.21(AAZF.14)C0 Zyxel NAS542 version V5.21(ABAG.11)C0 **Description** A command injection issue exists in the web server of the Zyxel NAS326 and NAS542 firmware due to the lack of neutralization of special elements used in operating system commands. This could allow a remote attacker to execute arbitrary operating system commands by sending a specially crafted URL to a vulnerable device. **Recommendations** For Zyxel NAS326 version V5.21(AAZF.14)C0, update the firmware to a version that includes a fix for this issue. For Zyxel NAS542 version V5.21(ABAG.11)C0, update the firmware to a version that includes a fix for this issue. As a temporary workaround, consider restricting access to the web server to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Zyxel NAS326 version V5.21(AAZF.14)C0 Zyxel NAS542 version V5.21(ABAG.11)C0 **Description** The issue is related to an improper authentication vulnerability in the authentication module of the Zyxel NAS326 and NAS542 firmware. This vulnerability could allow an unauthenticated attacker to obtain system information by sending a crafted URL to a vulnerable device. The vulnerability is associated with deficiencies in the authentication procedure, which can be exploited to gain unauthorized access to the device. **Recommendations** For Zyxel NAS326 version V5.21(AAZF.14)C0, consider disabling the authentication module until a patch is available. For Zyxel NAS542 version V5.21(ABAG.11)C0, restrict access to the device to minimize the risk of exploitation. As a temporary workaround, avoid using the vulnerable firmware versions until a fixed version is released. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zyxel NAS326 versions prior to V5.21(AAZF.14)C0 Zyxel NAS540 versions prior to V5.21(AATB.11)C0 Zyxel NAS542 versions prior to V5.21(ABAG.11)C0 **Description** The pre-authentication command injection issue in Zyxel NAS devices could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request. This could enable an attacker to run arbitrary commands on affected systems. **Recommendations** For Zyxel NAS326 versions prior to V5.21(AAZF.14)C0, update to version V5.21(AAZF.14)C0 or later. For Zyxel NAS540 versions prior to V5.21(AATB.11)C0, update to version V5.21(AATB.11)C0 or later. For Zyxel NAS542 versions prior to V5.21(ABAG.11)C0, update to version V5.21(ABAG.11)C0 or later. As a temporary workaround, consider restricting access to the affected devices until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Cisco Firepower Management Center (FMC) Software (affected versions not specified) **Description** A vulnerability in the web management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to bypass security protections and upload malicious files to the affected system. This is due to improper validation of files uploaded to the web management interface. An attacker could exploit this by uploading a maliciously crafted file, allowing them to store malicious files on the device and potentially execute arbitrary code on the affected device with root privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Adaptive Security Appliance (ASA) Software (affected versions not specified) Cisco Firepower Threat Defense (FTD) Software (affected versions not specified) **Description** A vulnerability in the web services interface could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. This issue is due to insufficient validation of user-supplied input by the web services interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link, potentially allowing the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. **Recommendations** For Cisco Adaptive Security Appliance (ASA) Software, update to a version that includes the fix for this issue. For Cisco Firepower Threat Defense (FTD) Software, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the web services interface until a patch is available.