Noman Riffat

**Name of the Vulnerable Software and Affected Versions** Ultimate Membership Pro plugin for WordPress versions 7.3 through 8.6 **Description** The Ultimate Membership Pro plugin for WordPress is vulnerable to Authentication Bypass. This makes it possible for unauthenticated attackers to login as any user, including the site administrator with a default user ID of 1, via the `username` or `user ID`. **Recommendations** For versions 7.3 through 8.6, update to a version that is not affected by this issue to prevent Authentication Bypass attacks. As a temporary workaround, consider restricting access to sensitive areas of the site to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SibSoft Xfilesharing versions prior to 2.5.2 **Description** The issue allows directory traversal, enabling the reading of arbitrary files. This is achieved through the `op` and `tmpl` parameters in a specific API endpoint, "/page" with `tmpl=../`, allowing access to files outside the intended directory. **Recommendations** For versions prior to 2.5.2, update to version 2.5.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the `/page` endpoint with `tmpl` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Xfilesharing versions through 2.5.1 **Description** The issue allows for arbitrary file upload via the cgi-bin/up.cgi endpoint. This can potentially be combined with other issues to achieve remote code execution by uploading a .html file containing short codes, served over HTTP. **Recommendations** For versions through 2.5.1, consider restricting access to the cgi-bin/up.cgi endpoint to prevent arbitrary file uploads until a fix is available. As a temporary workaround, avoid using the vulnerable upload functionality in the cgi-bin/up.cgi endpoint.

**Name of the Vulnerable Software and Affected Versions** Western Digital WD My Book World through II version 1.02.12 **Description** The issue allows an attacker to access the "/admin/" directory without credentials. An attacker can enable SSH from "/admin/system advanced.php?lang=en" and login with the default root password `welc0me`. **Recommendations** For Western Digital WD My Book World through II version 1.02.12, as a temporary workaround, consider disabling access to the "/admin/" directory and changing the default root password `welc0me` to prevent unauthorized access. Restrict access to the `/admin/system advanced.php` endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FiberHome VDSL2 Modem HG 150-UB (affected versions not specified) **Description** The issue allows authentication bypass. This can be achieved by including a specific header in the request, namely "Cookie: Name=0admin". **Recommendations** For FiberHome VDSL2 Modem HG 150-UB, as a temporary workaround, consider restricting access to the web interface until a patch is available. Avoid using the default authentication mechanism in the affected device until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FiberHome VDSL2 Modem HG 150-UB devices (affected versions not specified) **Description** The issue allows authentication bypass by ignoring the `parent.location='login.html'` JavaScript code in the response to an unauthenticated request. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: GPS Tracking Software (self hosted) versions through 3.0 Description: The issue allows remote attackers to inject arbitrary PHP code via a crafted request. This is mishandled during admin log viewing. For example, using `<?php system($ GET[cmd]); ?>` in a login request can demonstrate this issue. Recommendations: For versions through 3.0, consider disabling the `writeLog` function in fn common.php as a temporary workaround until a patch is available. Restrict access to admin log viewing to minimize the risk of exploitation. Avoid using the `cmd` variable in requests until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: gps-server.net GPS Tracking Software (self hosted) versions 2.x Description: The issue concerns a password reset procedure that allows immediate password resets upon an unauthenticated request. After the reset, an email is sent with a new, predictable password based on the date, making it easier for remote attackers to gain access by predicting this password. This is due to the use of `gmdate` for password creation in the `fn connect.php` file. Recommendations: For gps-server.net GPS Tracking Software (self hosted) versions 2.x, consider modifying the password reset procedure to generate unpredictable passwords and implement additional authentication steps to prevent unauthorized resets. As a temporary workaround, restrict access to the password reset functionality until a more secure solution is implemented.