Mencha Isajlovska

**Name of the Vulnerable Software and Affected Versions** Ksenia Security Lares 4.0 Home Automation version 1.6 **Description** An authenticated attacker can upload MPFS File System binary images through an unprotected endpoint. This allows overwriting flash program memory and potentially executing arbitrary code on the home automation system's web server. The vulnerable endpoint allows file uploads without proper security checks. **Recommendations** Apply updates to address the unprotected endpoint in version 1.6.

**Name of the Vulnerable Software and Affected Versions** Ksenia Security Lares 4.0 Home Automation version 1.6 **Description** A critical security flaw exists that exposes the alarm system PIN in the `basisInfo` XML file after authentication. An attacker can retrieve the PIN from the server response and bypass security measures to disable the alarm system without further authentication. The affected system is a home automation system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ksenia Security Lares 4.0 Home Automation version 1.6 **Description** Ksenia Security Lares 4.0 Home Automation version 1.6 has a default credentials issue that allows unauthorized access to administrative functions. Successful exploitation grants attackers full control of the home automation system. **Recommendations** Change the default administrative credentials.

**Name of the Vulnerable Software and Affected Versions** Ksenia Security Lares version 1.6 **Description** The software contains a URL redirection issue in the 'cmdOk.xml' script. Attackers can manipulate the `redirectPage` GET parameter to redirect authenticated users to arbitrary websites via a specially crafted link hosted on a trusted domain. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.