Michael Messner

**Name of the Vulnerable Software and Affected Versions** Access Points running AOS-10 (affected versions not specified) Access Points running AOS-8 Instant (affected versions not specified) **Description** A flaw in the web-based management interface allows an unauthenticated remote attacker to execute arbitrary JavaScript code in a victim's browser on the same local network. This could lead to the compromise of user data and potential manipulation of device configuration settings. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Elspec Engineering G5 Digital Fault Recorder Firmware version 1.2.1.12 Description: The issue is related to an XML External Entity (XXE) vulnerability, which allows attackers to cause a Denial of Service (DoS) via a crafted XML payload. This vulnerability can be exploited by sending a manipulated XML payload to the affected system. Recommendations: For Elspec Engineering G5 Digital Fault Recorder Firmware version 1.2.1.12, consider disabling the XML parsing functionality until a patch is available to prevent potential Denial of Service (DoS) attacks. Restrict access to the firmware to minimize the risk of exploitation. Avoid using the firmware with untrusted XML inputs until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Elspec G5 digital fault recorder versions 1.2.1.12 and earlier Description: An issue was discovered that may allow an attacker to cause a Denial of Service (DoS) via a crafted XML payload due to an XML External Entity (XXE) vulnerability. Recommendations: For versions 1.2.1.12 and earlier, as a temporary workaround, consider disabling the processing of external XML entities until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Elspec Engineering G5 Digital Fault Recorder Firmware version 1.2.1.12 Description: A buffer overflow issue was discovered in the firmware. Recommendations: For Elspec Engineering G5 Digital Fault Recorder Firmware version 1.2.1.12, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Siemens SENTRON 7KM PAC3200 (All versions) **Description** A vulnerability has been identified in the Modbus TCP interface of the Siemens SENTRON 7KM PAC3200, where affected devices only provide a 4-digit PIN to protect from administrative access. This insufficient protection allows attackers with access to the Modbus TCP interface to bypass it by brute-force attacks or by sniffing the Modbus clear text communication. The issue is related to improper authentication, specifically the use of a weak 4-digit PIN and the lack of encryption in the Modbus protocol. **Recommendations** As a temporary workaround, consider disabling access to the Modbus TCP interface until a patch is available. Restrict access to the administrative functions to minimize the risk of exploitation. Avoid using the 4-digit PIN for protection until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Elspec G5 digital fault recorder versions 1.1.4.15 and before **Description** An issue was discovered that allows unauthenticated directory listing to occur. The web interface can be abused by an attacker to gain a better understanding of the operating system. **Recommendations** For Elspec G5 digital fault recorder versions 1.1.4.15 and before, consider restricting access to the web interface until a patch is available. As a temporary workaround, limit the information exposed through the web interface to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Elspec G5 digital fault recorder versions 1.1.4.15 and before **Description** An issue was discovered in the Elspec G5 digital fault recorder. A hardcoded backdoor session ID exists that can be used for further access to the device, including reconfiguration tasks. **Recommendations** For versions 1.1.4.15 and before, consider disabling access to the device until a patch is available to remove the hardcoded backdoor session ID. As a temporary workaround, restrict access to reconfiguration tasks to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Elspec G5 digital fault recorder versions 1.1.4.15 and before **Description** An issue was discovered where cleartext passwords and hashes are exposed through log files. **Recommendations** For Elspec G5 digital fault recorder versions 1.1.4.15 and before, consider restricting access to log files to minimize the risk of exploitation. As a temporary workaround, review log files for sensitive information and remove or securely store them until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Elspec G5 digital fault recorder versions 1.1.4.15 and before **Description** An issue was discovered in the Elspec G5 digital fault recorder where the shadow file is world readable. **Recommendations** For Elspec G5 digital fault recorder versions 1.1.4.15 and before, consider restricting access to the shadow file to prevent unauthorized reading until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Elspec G5 digital fault recorder versions 1.1.4.15 and before **Description** An issue was discovered in the HTTP header parsing mechanism, allowing unauthenticated memory corruption to occur. **Recommendations** For Elspec G5 digital fault recorder versions 1.1.4.15 and before, consider restricting access to the HTTP header parsing mechanism until a patch is available. As a temporary workaround, avoid using the affected HTTP header parsing mechanism in the Elspec G5 digital fault recorder until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Elspec G5 digital fault recorder versions 1.1.4.15 and before **Description** The issue concerns weak permissions of the SQLite database file. **Recommendations** For Elspec G5 digital fault recorder versions 1.1.4.15 and before, consider restricting access to the SQLite database file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Elspec G5 digital fault recorder versions 1.1.4.15 and before **Description** An issue in the Elspec G5 digital fault recorder allows privilege escalation via world writable files. The network configuration script has weak filesystem permissions, resulting in write access for all authenticated users and the possibility to escalate from user privileges to administrative privileges. **Recommendations** For Elspec G5 digital fault recorder versions 1.1.4.15 and before, consider restricting write access to the network configuration script to prevent privilege escalation until a patch is available. As a temporary workaround, review and adjust the filesystem permissions to limit access to authorized users only.

**Name of the Vulnerable Software and Affected Versions** Elspec G5 digital fault recorder versions 1.1.4.15 and before **Description** An issue was discovered in the system logs download mechanism, allowing directory traversal to occur. This could potentially expose system logs. If local network access exists, it is recommended to take immediate action to prevent data breaches. **Recommendations** For versions 1.1.4.15 and before, update immediately and restrict log access to minimize the risk of exploitation. As a temporary workaround, consider restricting access to the system logs download mechanism until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Elspec G5 digital fault recorder versions 1.1.4.15 and before **Description** An issue in the Elspec G5 digital fault recorder allows unauthenticated memory corruption to occur during XML body parsing. **Recommendations** For Elspec G5 digital fault recorder versions 1.1.4.15 and before, consider disabling XML body parsing until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RUGGEDCOM RM1224 LTE(4G) EU versions prior to V7.1.2 RUGGEDCOM RM1224 LTE(4G) NAM versions prior to V7.1.2 SCALANCE M804PB versions prior to V7.1.2 SCALANCE M812-1 ADSL-Router versions prior to V7.1.2 SCALANCE M816-1 ADSL-Router versions prior to V7.1.2 SCALANCE M826-2 SHDSL-Router versions prior to V7.1.2 SCALANCE M874-2 versions prior to V7.1.2 SCALANCE M874-3 versions prior to V7.1.2 SCALANCE M876-3 versions prior to V7.1.2 SCALANCE M876-4 versions prior to V7.1.2 SCALANCE MUM853-1 versions prior to V7.1.2 SCALANCE MUM856-1 versions prior to V7.1.2 SCALANCE S615 versions prior to V7.1.2 SCALANCE WAM763-1 versions V1.1.0 through V2.9.9 SCALANCE WAM766-1 versions V1.1.0 through V2.9.9 SCALANCE WUM763-1 versions V1.1.0 through V2.9.9 SCALANCE WUM766-1 versions V1.1.0 through V2.9.9 **Description** The issue exists due to insufficient input validation in the software of certain Siemens routers, access points, and routers. This could allow a remote attacker to cause a denial of service condition and reboot the device, potentially affecting other network resources. Affected devices with the TCP Event service enabled do not properly handle malformed packets. **Recommendations** For RUGGEDCOM RM1224 LTE(4G) EU versions prior to V7.1.2, update to version V7.1.2 or later. For RUGGEDCOM RM1224 LTE(4G) NAM versions prior to V7.1.2, update to version V7.1.2 or later. For SCALANCE M804PB versions prior to V7.1.2, update to version V7.1.2 or later. For SCALANCE M812-1 ADSL-Router versions prior to V7.1.2, update to version V7.1.2 or later. For SCALANCE M816-1 ADSL-Router versions prior to V7.1.2, update to version V7.1.2 or later. For SCALANCE M826-2 SHDSL-Router versions prior to V7.1.2, update to version V7.1.2 or later. For SCALANCE M874-2 versions prior to V7.1.2, update to version V7.1.2 or later. For SCALANCE M874-3 versions prior to V7.1.2, update to version V7.1.2 or later. For SCALANCE M876-3 versions prior to V7.1.2, update to version V7.1.2 or later. For SCALANCE M876-4 versions prior to V7.1.2, update to version V7.1.2 or later. For SCALANCE MUM853-1 versions prior to V7.1.2, update to version V7.1.2 or later. For SCALANCE MUM856-1 versions prior to V7.1.2, update to version V7.1.2 or later. For SCALANCE S615 versions prior to V7.1.2, update to version V7.1.2 or later. For SCALANCE WAM763-1 versions V1.1.0 through V2.9.9, update to version V3.0.0 or later. For SCALANCE WAM766-1 versions V1.1.0 through V2.9.9, update to version V3.0.0 or later. For SCALANCE WUM763-1 versions V1.1.0 through V2.9.9, update to version V3.0.0 or later. For SCALANCE WUM766-1 versions V1.1.0 through V2.9.9, update to version V3.0.0 or later. As a temporary workaround, consider disabling the TCP Event service until a patch is available.

**Name of the Vulnerable Software and Affected Versions** QuTScloud versions prior to c5.0.1.1949 QuTS hero versions prior to h5.0.0.1949 build 20220215 and prior to h4.5.4.1951 build 20220218 QTS versions prior to 5.0.0.1986 build 20220324 and prior to 4.5.4.1991 build 20220329 **Description** An open redirect issue affects QNAP devices running QuTScloud, QuTS hero, and QTS, allowing attackers to redirect users to untrusted pages containing malware. This could impact the confidentiality and integrity of information. **Recommendations** For QuTScloud versions prior to c5.0.1.1949, update to QuTScloud c5.0.1.1949 or later. For QuTS hero versions prior to h5.0.0.1949 build 20220215, update to QuTS hero h5.0.0.1949 build 20220215 or later. For QuTS hero versions prior to h4.5.4.1951 build 20220218, update to QuTS hero h4.5.4.1951 build 20220218 or later. For QTS versions prior to 5.0.0.1986 build 20220324, update to QTS 5.0.0.1986 build 20220324 or later. For QTS versions prior to 4.5.4.1991 build 20220329, update to QTS 4.5.4.1991 build 20220329 or later.

**Name of the Vulnerable Software and Affected Versions** QuTScloud versions prior to c5.0.1.1949 QuTS hero versions prior to h5.0.0.1986 build 20220324 QTS versions prior to 5.0.0.1986 build 20220324 **Description** A command injection issue affects QNAP NAS running QuTScloud, QuTS hero, and QTS, allowing remote attackers to execute arbitrary commands. This issue is related to the operating system's failure to neutralize special elements used in OS commands, which can be exploited by remote attackers to impact the confidentiality, integrity, and availability of information. **Recommendations** For QuTScloud versions prior to c5.0.1.1949, update to QuTScloud c5.0.1.1949 or later. For QuTS hero versions prior to h5.0.0.1986 build 20220324, update to QuTS hero h5.0.0.1986 build 20220324 or later. For QTS versions prior to 5.0.0.1986 build 20220324, update to QTS 5.0.0.1986 build 20220324 or later.

**Name of the Vulnerable Software and Affected Versions** QuTS hero versions prior to h4.5.4.1971 build 20220310 QuTS hero versions prior to h5.0.0.1986 build 20220324 QTS versions prior to 4.2.6 build 20220304 QTS versions prior to 4.3.3.1945 build 20220303 QTS versions prior to 4.3.4.1976 build 20220303 QTS versions prior to 4.3.6.1965 build 20220302 QTS versions prior to 4.5.4.1991 build 20220329 QTS versions prior to 5.0.0.1986 build 20220324 QuTScloud versions prior to c5.0.1.1998 **Description** The issue is related to an improper link resolution before file access, which can be exploited by a remote attacker to traverse the file system to unintended locations and read or overwrite the contents of unexpected files, thus affecting the confidentiality and integrity of information. **Recommendations** For QuTS hero version prior to h4.5.4.1971 build 20220310, update to QuTS hero h4.5.4.1971 build 20220310 or later. For QuTS hero version prior to h5.0.0.1986 build 20220324, update to QuTS hero h5.0.0.1986 build 20220324 or later. For QTS version prior to 4.2.6 build 20220304, update to QTS 4.2.6 build 20220304 or later. For QTS version prior to 4.3.3.1945 build 20220303, update to QTS 4.3.3.1945 build 20220303 or later. For QTS version prior to 4.3.4.1976 build 20220303, update to QTS 4.3.4.1976 build 20220303 or later. For QTS version prior to 4.3.6.1965 build 20220302, update to QTS 4.3.6.1965 build 20220302 or later. For QTS version prior to 4.5.4.1991 build 20220329, update to QTS 4.5.4.1991 build 20220329 or later. For QTS version prior to 5.0.0.1986 build 20220324, update to QTS 5.0.0.1986 build 20220324 or later. For QuTScloud version prior to c5.0.1.1998, update to QuTScloud c5.0.1.1998 or later.

**Name of the Vulnerable Software and Affected Versions** D-Link DIR-845 versions prior to 1.02b03 D-Link DIR-600 versions prior to 2.17b01 D-Link DIR-645 versions prior to 1.04b11 D-Link DIR-300 rev. B D-Link DIR-865 **Description** An issue was discovered in "soap.cgi?service=WANIPConn1" where Command Injection via shell metacharacters is possible in the `NewInternalClient`, `NewExternalPort`, or `NewInternalPort` element of a SOAP POST request. **Recommendations** For D-Link DIR-845 versions prior to 1.02b03, update to version 1.02b03 or later. For D-Link DIR-600 versions prior to 2.17b01, update to version 2.17b01 or later. For D-Link DIR-645 versions prior to 1.04b11, update to version 1.04b11 or later. For D-Link DIR-300 rev. B and DIR-865, at the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the "soap.cgi?service=WANIPConn1" endpoint to minimize the risk of exploitation. Avoid using the `NewInternalClient`, `NewExternalPort`, or `NewInternalPort` elements in the affected SOAP POST request until the issue is resolved.