Owen Shearing

**Name of the Vulnerable Software and Affected Versions** IPSwitch WhatsUp Gold versions prior to 16.4 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via two parameters: (1) the `UniqueID` (also known as `sUniqueID`) parameter to the "WrFreeFormText.asp" endpoint in the Reports component, or (2) the `Find Device` parameter. **Recommendations** For versions prior to 16.4, update to version 16.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the "WrFreeFormText.asp" endpoint and limiting the use of the `Find Device` parameter until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Brocade Vyatta 5400 vRouter versions 6.4R(x) through 6.7R1 **Description** The management console allows remote authenticated users to execute arbitrary Linux commands via shell metacharacters in a console command. **Recommendations** For Brocade Vyatta 5400 vRouter versions 6.4R(x) through 6.7R1, consider restricting access to the management console to minimize the risk of exploitation. As a temporary workaround, avoid using shell metacharacters in console commands until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Brocade Vyatta 5400 vRouter versions 6.4R(x) through 6.7R1 **Description** The issue allows attackers to obtain sensitive encrypted-password information by leveraging membership in the operator group. **Recommendations** For versions 6.4R(x) through 6.7R1, consider restricting access to the operator group to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Brocade Vyatta 5400 vRouter versions 6.4R(x) through 6.7R1 **Description** The issue is related to the `/opt/vyatta/bin/sudo-users/vyatta-clear-dhcp-lease.pl` script, which does not properly validate parameters. This allows local users to gain privileges by leveraging the sudo configuration. **Recommendations** For Brocade Vyatta 5400 vRouter versions 6.4R(x) through 6.7R1, consider restricting access to the `vyatta-clear-dhcp-lease.pl` script until a proper fix is available. As a temporary workaround, review and restrict the sudo configuration to minimize the risk of exploitation.