Rafal Goryl

**Name of the Vulnerable Software and Affected Versions** WOLFBOX Level 2 EV Charger (affected versions not specified) **Description** This issue allows network-adjacent attackers to execute arbitrary code on affected installations. Authentication is not required to exploit this issue. The flaw exists within the handling of the `secKey`, `localKey`, `stdTimeZone`, and `devId` parameters, resulting from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this issue to execute code in the context of the device. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: Wyze Cam v3 (affected versions not specified) Description: This issue allows network-adjacent attackers to execute arbitrary code on affected installations of Wyze Cam v3 IP cameras. The specific flaw exists within the "run action batch" endpoint of the cloud infrastructure. The issue results from the use of the device's MAC address as a sole credential for authentication. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Location Manager WordPress plugin versions prior to 2.1.0.10 **Description** The issue arises from the AJAX action `gd popular location list` not properly sanitizing or validating some of its POST parameters, which are then used in a SQL statement. This leads to unauthenticated SQL Injection issues. **Recommendations** For versions prior to 2.1.0.10, update to version 2.1.0.10 or later to resolve the issue. As a temporary workaround, consider restricting access to the `gd popular location list` AJAX action to minimize the risk of exploitation.