Pusheax

**Name of the Vulnerable Software and Affected Versions** Alien Technology ALR-F800 versions up to 19.10.24.00 **Description** A critical issue has been found, affecting an unknown function of the file /var/www/cmd.php. The manipulation of the `cmd` argument leads to improper authorization, allowing for remote attacks. The issue has been publicly disclosed, and the vendor was contacted but did not respond. **Recommendations** For Alien Technology ALR-F800 versions up to 19.10.24.00, as a temporary workaround, consider restricting access to the /var/www/cmd.php file until a patch is available. Avoid using the `cmd` argument in the affected file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Alien Technology ALR-F800 versions up to 19.10.24.00 **Description** A critical issue has been found, affecting the function `popen` of the file `/var/www/cgi-bin/upgrade.cgi` in the component File Name Handler. The manipulation of the argument `uploadedFile` leads to os command injection. This issue can be exploited remotely. The exploit has been publicly disclosed, and the vendor was contacted but did not respond. **Recommendations** For Alien Technology ALR-F800 versions up to 19.10.24.00, as a temporary workaround, consider restricting access to the `/var/www/cgi-bin/upgrade.cgi` file to minimize the risk of exploitation. Avoid using the `uploadedFile` argument in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Alien Technology ALR-F800 versions up to 19.10.24.00 **Description** A critical issue affects some unknown functionality of the file /admin/system.html. The manipulation of the argument `uploadedFile` with the input ';whoami' leads to os command injection. This can be exploited remotely. **Recommendations** For Alien Technology ALR-F800 versions up to 19.10.24.00, as a temporary workaround, consider restricting access to the /admin/system.html file and avoid using the `uploadedFile` argument until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Viessmann Vitogate 300 versions up to 2.1.3.0 **Description** A critical vulnerability was found in the Web Management Interface component of Viessmann Vitogate 300. This issue affects the `isValidUser` function of the file `/cgi-bin/vitogate.cgi`, leading to the use of a hard-coded password. The exploit has been disclosed publicly and may be used. The vulnerability is being actively exploited. **Recommendations** For versions up to 2.1.3.0, as a temporary workaround, consider disabling the `isValidUser` function until a patch is available. Restrict access to the `/cgi-bin/vitogate.cgi` file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.