Rijnard Van Tonder

**Name of the Vulnerable Software and Affected Versions** Huawei Echo Life HG8247 routers versions prior to V100R006C00SPC127 **Description** A cross-site scripting (XSS) issue exists in the web interface, allowing remote attackers to inject arbitrary web script or HTML via a crafted username in an invalid TELNET connection attempt. This occurs because the username is not properly handled during the construction of the "failed log-in attempts over telnet" log view. **Recommendations** For versions prior to V100R006C00SPC127, update to V100R006C00SPC127 or later to resolve the issue. As a temporary workaround, consider restricting access to the web interface to minimize the risk of exploitation. Avoid using the `username` variable in the affected log view until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Dell PowerConnect 3348 version 1.2.1.3 Dell PowerConnect 3524p version 2.0.0.48 Dell PowerConnect 5324 version 2.0.1.4 **Description** The issue allows remote attackers to cause a denial of service, potentially leading to device reset, or possibly execute arbitrary code. This is achieved by sending many packets to TCP port 22, which is used by the SSH service. **Recommendations** For Dell PowerConnect 3348 version 1.2.1.3, restrict access to TCP port 22 to minimize the risk of exploitation. For Dell PowerConnect 3524p version 2.0.0.48, consider disabling the SSH service until a fix is available. For Dell PowerConnect 5324 version 2.0.1.4, limit the number of incoming packets to TCP port 22 as a temporary mitigation measure.

**Name of the Vulnerable Software and Affected Versions** Dell PowerConnect versions 1.2.1.3, 2.0.0.48, and 2.0.1.4 **Description** The issue concerns the login page in the GoAhead web server, which allows remote attackers to cause a denial of service, resulting in a device outage. This can be achieved by submitting a long `username` to the login page. **Recommendations** For version 1.2.1.3, restrict access to the login page to prevent remote attackers from causing a denial of service. For version 2.0.0.48, limit the length of the `username` parameter to prevent exploitation. For version 2.0.1.4, consider disabling the login functionality until a fix is available to prevent device outages.