Pupiles

**Name of the Vulnerable Software and Affected Versions** Apache Traffic Control Traffic Ops (affected versions not specified) **Description** The issue exists due to the lack of neutralization of special elements in the LDAP filter of Apache Traffic Control. An unauthenticated user can exploit this by sending a specially-crafted request to the `POST /login` endpoint of any API version, allowing them to inject unsanitized content into the LDAP filter and potentially execute arbitrary commands in the target system. **Recommendations** As a temporary workaround, consider disabling the `POST /login` endpoint until a patch is available. Restrict access to the LDAP filter to minimize the risk of exploitation. Avoid using specially-crafted usernames in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Thunderdome versions prior to 1.16.3 **Description** The issue is related to an LDAP injection vulnerability that affects instances with LDAP authentication enabled. The provided username is not properly escaped, allowing for potential exploitation. This issue has been patched, and it is estimated that a significant number of devices worldwide that use Thunderdome with LDAP authentication could be affected, although the exact number is not specified. There is no information about real-world incidents where this issue was exploited. **Recommendations** For versions prior to 1.16.3, update to version 1.16.3 to resolve the issue. As a temporary workaround, consider disabling the LDAP feature if it is in use, to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** BigTree version 4.2.23 **Description** The issue allows remote attackers to bypass authentication when Advanced or Simple Rewrite routing is enabled. This can be achieved by using a .. substring in a URI, such as launch.php?bigtree htaccess url=admin/images/... **Recommendations** For BigTree version 4.2.23, consider disabling Advanced or Simple Rewrite routing until a patch is available to prevent authentication bypass. Restrict access to sensitive areas of the application to minimize the risk of exploitation. Avoid using the `bigtree htaccess url` parameter in the affected launch.php endpoint until the issue is resolved.