Mustafa Altinkaynak

**Name of the Vulnerable Software and Affected Versions** Zyxel P-660HW-T1 version v3 **Description** The issue affects the Zyxel P-660HW-T1 wireless router, where multiple cross-site request forgery (CSRF) vulnerabilities exist. These vulnerabilities allow remote attackers to hijack the authentication of administrators for specific requests. The requests in question are those that change the wifi password or the SSID, which can be executed via a request to "Forms/WLAN General 1". **Recommendations** For Zyxel P-660HW-T1 version v3, consider disabling access to the "Forms/WLAN General 1" endpoint until a patch is available to prevent exploitation of the CSRF vulnerabilities. Restrict access to the wifi password and SSID change functionalities to minimize the risk of unauthorized changes.

**Name of the Vulnerable Software and Affected Versions** AuraCMS versions 3.0 and earlier **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `viewdir` parameter in the filemanager.php file. **Recommendations** For AuraCMS versions 3.0 and earlier, update to a version later than 3.0 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** AuraCMS version 3.0 **Description** The issue allows remote attackers to list a directory via a full pathname in the `viewdir` parameter in the filemanager.php file. This is due to an absolute path traversal vulnerability. **Recommendations** For AuraCMS version 3.0, avoid using the `viewdir` parameter in the filemanager.php file until a patch is available. As a temporary workaround, consider restricting access to the filemanager.php file to minimize the risk of exploitation.