Renguangyue

**Name of the Vulnerable Software and Affected Versions** ORICO CD3510 version 1.9.12 **Description** A security issue exists in the File Upload component of the software that allows for path traversal. This manipulation can be initiated remotely. The exploit for this issue has been publicly disclosed, and the vendor was informed but did not respond. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SGAI Space1 NAS N1211DS versions up to 1.0.915 **Description** A security issue exists in SGAI Space1 NAS N1211DS versions up to 1.0.915 related to the unprotected storage of credentials. The issue is located in the `gsaiagent` component, specifically within the `/cgi-bin/JSONAPI` file, affecting the `GET FACTORY INFO`/`GET USER INFO` function. This allows for remote exploitation. The exploit has been publicly released. **Recommendations** Versions prior to 1.0.915 should be updated. As a temporary workaround, consider restricting access to the `/cgi-bin/JSONAPI` file.

**Name of the Vulnerable Software and Affected Versions** SGAI Space1 NAS N1211DS versions through 1.0.915 **Description** A command injection issue exists in the `gsaiagent` component. The `RENAME FILE/OPERATE FILE/NGNIX UPLOAD` function within the `/cgi-bin/JSONAPI` file is susceptible to manipulation, leading to command injection. This attack can be initiated remotely. The exploit has been publicly disclosed. The vendor was contacted regarding this disclosure but did not respond. **Recommendations** Versions through 1.0.915: As a temporary workaround, consider restricting access to the `/cgi-bin/JSONAPI` file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** UGREEN DH2100+ versions through 5.3.0.251125 **Description** A flaw exists in UGREEN DH2100+ that could allow for remote buffer overflow. The issue is related to the `handler file backup create` function within the `nas svr` component, specifically when handling the `path` argument through the `/v1/file/backup/create` API endpoint. Manipulation of the `path` argument can trigger the overflow. The exploit for this issue has been publicly released. **Recommendations** Versions through 5.3.0.251125 should be updated when a fixed version is available. As a temporary workaround, consider restricting access to the `/v1/file/backup/create` API endpoint.

**Name of the Vulnerable Software and Affected Versions** ZSPACE Q2C NAS versions through 1.1.0210050 **Description** A security flaw exists in ZSPACE Q2C NAS that allows for remote command injection. The issue is located within the `zfilev2 api.SafeStatus` function of the HTTP POST Request Handler component, specifically through the `/v2/file/safe/status` endpoint. Manipulation of the `safe dir` argument can lead to command injection. The exploit has been publicly released. **Recommendations** Versions prior to 1.1.0210050 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ZSPACE Q2C NAS versions up to 1.1.0210050 **Description** A weakness exists in ZSPACE Q2C NAS that allows for remote command injection. The issue is related to the `zfilev2 api.OpenSafe` function within the HTTP POST Request Handler component, specifically in the file `/v2/file/safe/open`. Manipulation of the `safe dir` argument can lead to command injection. A public exploit is available. The vendor was notified but did not respond. **Recommendations** Versions prior to 1.1.0210050 should be updated. As a temporary workaround, consider restricting access to the `/v2/file/safe/open` API endpoint. Avoid using the `safe dir` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** ZSPACE Q2C NAS versions up to 1.1.0210050 **Description** A command injection issue exists in ZSPACE Q2C NAS. The issue is related to the manipulation of the `safe dir` argument within the `zfilev2 api.CloseSafe` function, located in the `/v2/file/safe/close` file of the HTTP POST Request Handler component. This allows for remote execution of commands. The exploit is publicly available. **Recommendations** Versions prior to 1.1.0210050 should be updated. As a temporary workaround, consider restricting access to the `/v2/file/safe/close` endpoint to minimize the risk of exploitation.