Patrick Muench

**Name of the Vulnerable Software and Affected Versions** Phoenix Contact PLCnext Control Devices versions prior to 2021.0 LTS **Description** The issue allows an attacker to open a reverse shell with root privileges. **Recommendations** For versions prior to 2021.0 LTS, update to version 2021.0 LTS or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Phoenix Contact PLCnext Control Devices versions prior to 2021.0 LTS **Description** The issue allows an attacker to gain knowledge by reading insufficiently protected sensitive information, which can be used to plan further attacks. **Recommendations** For versions prior to 2021.0 LTS, update to version 2021.0 LTS or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Phoenix Contact PLCnext Control Devices versions prior to 2021.0 LTS **Description** The issue allows an authenticated low-privileged user to embed malicious Javascript code, potentially gaining admin rights when an admin user visits the vulnerable website. This is a case of local privilege escalation. **Recommendations** For versions prior to 2021.0 LTS, update to version 2021.0 LTS or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable website to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: GitLab Enterprise version 12.0.0-pre Description: The issue allows authenticated remote attackers to read Docker registries of other groups. This occurs when a legitimate user changes the path of a group, and the Docker registries are not adapted, leaving them in the old namespace and making them available to all other users with no previous access to the repository. Recommendations: For GitLab Enterprise version 12.0.0-pre, consider restricting access to the Docker registries until a patch is available to prevent unauthorized access. As a temporary workaround, avoid changing the path of a group to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ARP-GUARD version 4.0.0-5 **Description** A SQL injection issue allows unauthenticated remote attackers to execute arbitrary SQL commands. This is achieved via the `user id` parameter in a "/login/forgot1" POST request. **Recommendations** For ARP-GUARD version 4.0.0-5, avoid using the `user id` parameter in the "/login/forgot1" API endpoint until the issue is resolved. As a temporary workaround, consider restricting access to this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SECUDOS DOMOS versions prior to 5.6 **Description** The issue concerns the Log module in SECUDOS DOMOS, which allows local file inclusion. **Recommendations** For versions prior to 5.6, update to version 5.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** SECUDOS DOMOS versions prior to 5.6 **Description** The issue affects the Log module, allowing for cross-site scripting (XSS) attacks. **Recommendations** For versions prior to 5.6, update to version 5.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** eQ-3 AG Homematic CCU3 versions 3.43.15 and earlier **Description** The issue allows unauthenticated remote attackers to disclose password hashes of GUI users through the User.getUserPWD method. This can be exploited by attackers with access to the web interface. **Recommendations** For versions 3.43.15 and earlier, update to a version that fixes this issue to prevent unauthenticated password hash disclosure. As a temporary workaround, consider restricting access to the web interface to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Lifesize Icon version 3.7.0 (2421) **Description** A Remote Code Execution issue in the DNS Query Web UI allows remote authenticated attackers to execute arbitrary commands via a crafted DNS Query address field in a JSON API request. **Recommendations** For version 3.7.0 (2421), consider disabling access to the DNS Query Web UI until a patch is available to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** eQ-3 AG Homematic CCU3 versions 3.43.15 and earlier **Description** The issue allows remote attackers to read arbitrary files of the device's filesystem through Directory Traversal or Arbitrary File Read. This can be exploited by unauthenticated attackers with access to the web interface. **Recommendations** For versions 3.43.15 and earlier, update to a version later than 3.43.15 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Semcosoft version 5.3 **Description** A reflected Cross-Site scripting issue allows remote attackers to inject arbitrary web scripts or HTML via the `username` parameter to the "Login Form" API endpoint. **Recommendations** For Semcosoft version 5.3, consider validating and sanitizing user input for the `username` parameter in the Login Form to prevent arbitrary script injection. As a temporary workaround, restrict access to the Login Form until a patch is available.

**Name of the Vulnerable Software and Affected Versions** eQ-3 AG HomeMatic CCU2 version 2.29.22 **Description** The issue allows exploitation by sending arbitrary XML-RPC requests to control attached BidCos devices, due to an open XML-RPC port without authentication. **Recommendations** For version 2.29.22, consider restricting access to the XML-RPC port to minimize the risk of exploitation. As a temporary workaround, limit control of the attached BidCos devices until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** eQ-3 AG HomeMatic CCU2 version 2.29.22 **Description** The issue concerns the download of software update packages via the HTTP protocol, which lacks cryptographic protection. An attacker with a privileged network position can exploit this to provide malicious firmware updates, potentially resulting in a full system compromise. **Recommendations** For eQ-3 AG HomeMatic CCU2 version 2.29.22, consider disabling the `loopupd.sh` script in `/usr/local/etc/config/addons/mh/` as a temporary workaround until a patch is available. Restrict access to the device to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** eQ-3 AG Homematic CCU2 versions 2.29.2 and earlier **Description** The issue allows remote attackers to read the first line of an arbitrary file on the CCU2's filesystem through the User.getLanguage method. This can be exploited by unauthenticated attackers with access to the web interface. **Recommendations** For versions 2.29.2 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** eQ-3 AG Homematic CCU2 versions 2.29.2 and earlier **Description** The issue allows authenticated attackers to perform Remote Code Execution in the addon installation process. This enables them to create or overwrite arbitrary files or install malicious software on the device. **Recommendations** For versions 2.29.2 and earlier, update to a version later than 2.29.2 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** eQ-3 AG Homematic CCU2 versions 2.29.2 and earlier **Description** The issue is related to a method called `User.setLanguage` and is associated with security mechanism weaknesses. This allows remote attackers to write arbitrary files to the device's filesystem and potentially execute arbitrary code on the device using the web interface. The vulnerability can be exploited by unauthenticated attackers with access to the web interface. **Recommendations** For versions 2.29.2 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** eQ-3 AG Homematic CCU2 versions 2.29.2 and earlier **Description** The issue is related to a Remote Code Execution vulnerability in the TCL script interpreter. This allows remote attackers to obtain read/write access and execute system commands on the device. The vulnerability can be exploited by unauthenticated attackers with access to the web interface. It is associated with shortcomings in the security mechanisms of the TCL script interpreter, enabling remote attackers to read and write arbitrary files and execute system commands on the device using the web interface. **Recommendations** For versions 2.29.2 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.