Nerya Zadkani

**Name of the Vulnerable Software and Affected Versions** D-Link DSL-224 version 3.0.10 D-Link DSL-G256DG (affected versions not specified) **Description** The issue is related to a command execution vulnerability that can be exploited after authentication. It is associated with deficiencies in the authentication procedure, allowing a remote attacker to execute arbitrary commands. **Recommendations** For D-Link DSL-224 version 3.0.10, update to a newer version that contains a fix for this issue. For D-Link DSL-G256DG, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DSL-224 firmware version 3.0.10 **Description** The issue is related to improper restriction of excessive authentication attempts, which can be exploited by a remote attacker to bypass security restrictions and gain unauthorized access to protected information. **Recommendations** For D-Link DSL-224 firmware version 3.0.10, consider restricting access to the authentication mechanism to minimize the risk of exploitation until a patch is available. As a temporary workaround, limit the number of authentication attempts to prevent brute-force attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DLINK router version 3.0.8 **Description** The issue allows for command injection through the interface used to configure NTP servers via jsonrpc API, potentially running commands with ROOT permissions on the router. This is made possible by injecting a command through the jsonrpc API interface for NTP server configuration. **Recommendations** For version 3.0.8, consider disabling the jsonrpc API interface for NTP server configuration until a patch is available to prevent potential command injection attacks. Restrict access to the NTP server configuration interface to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Supersmart (affected versions not specified) **Description** The issue allows downloading all receipts without authentication. To exploit this, an attacker must first access the API endpoint "https://XXXX.supersmart.me/services/v4/customer/signin" to obtain a `TOKEN`. Then, they can access the API that provides invoice images based on the URL "https://XXXX.supersmart.me/services/v4/invoiceImg?orderId=XXXXX". **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.