Minipython

Name of the Vulnerable Software and Affected Versions: Tenda AC6, AC7, AC8, AC9, AC10, AC10U, AC15, AC18, AC500, and AC1206 versions up to 20241022 Description: A vulnerability was found in the function `websReadEvent` of the file `/goform/GetIPTV`. The manipulation of the argument `Content-Length` leads to null pointer dereference. The attack may be initiated remotely. This issue may allow an attacker to execute arbitrary code. The exploit has been disclosed to the public and may be used. Recommendations: For Tenda AC6, AC7, AC8, AC9, AC10, AC10U, AC15, AC18, AC500, and AC1206 versions up to 20241022: As a temporary workaround, consider disabling the `websReadEvent` function until a patch is available. Restrict access to the `/goform/GetIPTV` file to minimize the risk of exploitation. Avoid using the `Content-Length` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Tenda AC8 version 16.03.34.06 Description: A critical issue has been found in the compare parentcontrol time function of the /goform/saveParentControlInfo file, which is affected by a stack-based buffer overflow. This can be exploited remotely by manipulating the `time` argument, potentially impacting the confidentiality, integrity, and availability of protected information. The exploit has been publicly disclosed and can be used. The attack can be launched remotely by sending a specially crafted POST request to the "/goform/saveParentControlInfo" endpoint. Recommendations: For Tenda AC8 version 16.03.34.06, as a temporary workaround, consider disabling the `compare parentcontrol time` function until a patch is available. Restrict access to the "/goform/saveParentControlInfo" endpoint to minimize the risk of exploitation. Avoid using the `time` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Tenda AC8 version 16.03.34.06 Description: A critical vulnerability was found in the function `formSetRebootTimer` of the file `/goform/SetSysAutoRebbotCfg`. The manipulation of the argument `rebootTime` leads to a stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Another vulnerable function is `compare parentcontrol time` in the file `/goform/saveParentControlInfo`, which is also related to a stack-based buffer overflow. This can allow an attacker to impact the confidentiality, integrity, and availability of protected information by sending a specially crafted POST request. Recommendations: As a temporary workaround, consider disabling the `formSetRebootTimer` function and restricting access to the `/goform/SetSysAutoRebbotCfg` and `/goform/saveParentControlInfo` API endpoints until a patch is available. Avoid using the `rebootTime` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** xpdfreader version 4.03 **Description** The issue is related to a Buffer Overflow. **Recommendations** For xpdfreader version 4.03, at the moment, there is no information about a newer version that contains a fix for this vulnerability.