Metadata

**Name of the Vulnerable Software and Affected Versions** AnaSystem SensMini M4 (affected versions not specified) **Description** The issue allows an authenticated user to cause a Denial of Service for the device using the configuration tool. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Switch (affected versions not specified) **Description** The issue concerns an unspecified endpoint in the switch's web server that fails to properly authenticate user identity. This may allow an attacker to download a configuration page containing the switch's password in clear text. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** EXFO BV-10 Performance Endpoint Unit (affected versions not specified) **Description** The issue concerns an undocumented hard-coded privileged user in the EXFO BV-10 Performance Endpoint Unit. This means that there is a user account with elevated privileges that is not documented, potentially allowing unauthorized access to the unit. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** EXFO - BV-10 Performance Endpoint Unit (affected versions not specified) **Description** The issue concerns a misconfiguration in the EXFO - BV-10 Performance Endpoint Unit, specifically with the system configuration file having misconfigured permissions. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** EXFO BV-10 Performance Endpoint Unit (affected versions not specified) **Description** The issue allows a user to manually manipulate access, enabling an authentication bypass. This means that an individual can potentially gain unauthorized access to the system by exploiting this weakness. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Alotcer - AR7088H-A firmware version 16.10.3 **Description** The issue concerns an information disclosure where an unspecified error message contains the default administrator user name. **Recommendations** For Alotcer - AR7088H-A firmware version 16.10.3, consider changing the default administrator user name as a temporary mitigation measure. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Alotcer - AR7088H-A firmware version 16.10.3 **Description** The issue is related to improper validation of an unspecified input field, which may allow authenticated command execution. **Recommendations** For Alotcer - AR7088H-A firmware version 16.10.3, consider restricting access to the device until a patch is available, and avoid using unspecified input fields that may be vulnerable to command execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link - G integrated Access Device4 (affected versions not specified) **Description** The issue concerns information disclosure and authorization bypass. It involves a file containing a URL with a private IP address and default username value "admin" in "login.asp". The web interface does not properly validate user identity variables, such as `login glag` and `login status`, allowing access without proper checking. This enables reading of admin user credentials. The vulnerability can be exploited by accessing the "setupWizard.asp" URL. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Proscend M330-w versions Proscend M330-W5 versions Proscend M350-5G versions Proscend M350-W5G versions Proscend M350-6 versions Proscend M350-W6 versions Proscend M301-G versions Proscend M301-GW versions Proscend ICR 111WG versions **Description** The issue is related to the lack of measures to neutralize special elements used in the operating system command, which can allow a remote attacker to execute arbitrary commands. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ALLNET Router model WR0500AC (affected versions not specified) **Description** The web page "wizardpwd.asp" is prone to an authorization bypass issue, where the password located at "admin" allows changing the http[s]://wizardpwd.asp/cgi-bin without validating the user's identity, making it accessible publicly. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cellinx Camera (affected versions not specified) **Description** The issue allows an attacker with web access to elevate privileges from guest to administrative by modifying specific cookie values, including `is admin` and `showConfig`, enabling changes to various camera configurations. **Recommendations** For Cellinx Camera, consider disabling guest access until a fix is available to prevent privilege escalation. As a temporary workaround, restrict modifications to camera configurations to minimize the risk of exploitation. Avoid using the `is admin` and `showConfig` cookie values in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** No specific software or version is mentioned in the provided descriptions. **Description** The issue allows a remote user to read files on the camera's OS using "GetFileContent.cgi". This enables reading arbitrary files on the camera's OS as the root user. No information is provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** Directory listing is a web server function that displays the directory contents when there is no index file in a specific website directory. This provides an attacker with the complete index of all the resources located inside of the directory. The specific risks and consequences vary depending on which files are listed and accessible. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Company's products versions update i90 cv2.021 b20210104, update i50 v1.0.55 b20200509, update x6 v2.1.2 b202001127, update b5 v2.0.9 b20200706 **Description** This issue affects the company's products, making it possible to extract existing user passwords from the firmware on their operating systems. **Recommendations** For versions update i90 cv2.021 b20210104, update i50 v1.0.55 b20200509, update x6 v2.1.2 b202001127, update b5 v2.0.9 b20200706, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Software (affected versions not specified) **Description** The system allows unauthorized viewing of usernames and passwords, enabling access to the system. The issue is accessible via the "http://api/sys username passwd.cmd" API endpoint. Additionally, hard-coded credit information and a super-user password are disclosed within the JS code sent to customers in the Login.js file. The disclosed username is `chcadmin` and the password is `chcpassword`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** P5E GNSS (affected versions not specified) **Description** The issue is related to the wifi ap pata get.cmd component of the P5E GNSS satellite receiver's firmware, which stores confidential information in clear text. This allows a remote attacker to gain unauthorized access to protected information. Browsing the path: "http://ip/wifi ap pata get.cmd" will show the name of the existing access point on the component, and a password in clear text. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** P5E GNSS (affected versions not specified) **Description** The issue is related to weaknesses in the authentication procedure of the admin.html page in the P5E GNSS software. This allows a remote attacker to reset the admin password. The vulnerability is also present in the JavaScript code for the password. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software name or versions are mentioned in the provided descriptions. **Description** The issue is related to a non-standard way of checking a user's cookie, allowing an attacker to bypass system identification using a username and password by setting a specific value in the cookie. This can potentially lead to privilege escalation. The estimated number of potentially affected devices and details about real-world incidents are not provided. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.