Pizza Power

**Name of the Vulnerable Software and Affected Versions** Arobas Music Guitar Pro for iPad and iPhone versions prior to 1.10.2 **Description** A cross-site scripting (XSS) issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload inserted into the name of an uploaded file. **Recommendations** For versions prior to 1.10.2, update to version 1.10.2 or later to resolve the issue. As a temporary workaround, consider restricting the upload of files with potentially malicious names to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Arobas Music Guitar Pro for iPad and iPhone versions prior to 1.10.2 **Description** The issue allows attackers to perform directory traversal and download arbitrary files via a crafted web request. **Recommendations** For versions prior to 1.10.2, update to version 1.10.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Ecowitt GW1100 Series Weather Stations versions <=GW1100B v2.1.5 **Description** An access control issue allows unauthenticated attackers to access sensitive information, including device and local WiFi passwords. **Recommendations** For Ecowitt GW1100 Series Weather Stations versions <=GW1100B v2.1.5, update to a version later than GW1100B v2.1.5 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** MotionEye versions 0.42.1 and below **Description** The issue allows attackers to access sensitive information via a GET request to "/config/list". To exploit this, a regular user password must be unconfigured. **Recommendations** For MotionEye versions 0.42.1 and below, as a temporary workaround, consider restricting access to the "/config/list" endpoint until a patch is available. Avoid using unconfigured regular user passwords in the affected setup to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MotionEye versions 0.42.1 and earlier MotionEyeOS versions 20200606 and earlier **Description** The issue allows a remote attacker to upload a configuration backup file containing a malicious python pickle file, which will execute arbitrary code on the server. This can occur when an installation is accessible over the Internet and uses no or poor authentication credentials. **Recommendations** For MotionEye versions 0.42.1 and earlier, consider keeping the installation off the Internet and use strong credentials to provide protection against this issue. For MotionEyeOS versions 20200606 and earlier, consider keeping the installation off the Internet and use strong credentials to provide protection against this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Manuskript versions 0.12.0 and earlier **Description** The issue is related to insecure deserialization via the `pickle.load()` function in settings.py, allowing remote attackers to execute arbitrary code by crafting a settings.pickle file in a project file. This could potentially lead to unauthorized access to confidential data, disruption of data integrity, and denial of service. The vendor's position is that the product is not intended for opening untrusted project files. **Recommendations** For Manuskript versions 0.12.0 and earlier, consider disabling the `pickle.load()` function in settings.py as a temporary workaround until a patch is available. Restrict access to untrusted project files to minimize the risk of exploitation. Avoid using the `pickle.load()` function with untrusted data until the issue is resolved.