Ryan Delaney

**Name of the Vulnerable Software and Affected Versions** Netgear C7800 Router version 6.01.07 **Description** The administrative web interface of the Netgear C7800 Router authenticates users via basic authentication, with an HTTP header containing a base64 value of the plaintext `username` and `password`. This renders the administrative credentials vulnerable to eavesdropping by an adversary during every authenticated request made by a client to the router over a WLAN or a LAN, should the adversary be able to perform a man-in-the-middle attack. **Recommendations** For Netgear C7800 Router version 6.01.07, consider disabling the basic authentication mechanism until a patch is available. Restrict access to the administrative web interface to minimize the risk of exploitation. Avoid using the administrative web interface over unsecured networks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sagemcom F@ST 5280 version 1.150.61 **Description** The issue allows any authenticated user to perform a privilege escalation to any other user due to insecure deserialization. By making a request with valid `sess id`, `nonce`, and `ha1` values inside of the serialized session cookie, an attacker may alter the `user` value inside of this cookie and assume the role and permissions of the specified user. This can lead to gaining the permissions of the internal account, which includes the ability to flash custom firmware to the router, resulting in a complete compromise. **Recommendations** For Sagemcom F@ST 5280 version 1.150.61, as a temporary workaround, consider restricting access to the serialized session cookie until a patch is available. Avoid using the `user` value in the affected cookie to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Verint Impact 360 version 15.1 Description: An issue was discovered in Verint Impact 360 where the `helpURL` parameter at the "/wfo/help/help popup.jsp" endpoint can be changed to embed arbitrary content inside of an iFrame. Attackers may use this in conjunction with social engineering to embed malicious scripts or phishing pages on a site where this product is installed, given the attacker can convince a victim to visit a crafted link. Recommendations: For Verint Impact 360 version 15.1, consider restricting access to the `helpURL` parameter at the "/wfo/help/help popup.jsp" endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the `helpURL` parameter until a patch is available.

Name of the Vulnerable Software and Affected Versions: Verint Impact 360 version 15.1 Description: An issue was discovered that allows attackers to potentially compromise valid credentials. At the `/wfo/control/signin` API endpoint, the `rd` parameter can accept a URL, to which users will be redirected after a successful login. This can be used in conjunction with another issue to "crowdsource" brute-force login attempts on the target site, allowing attackers to guess valid credentials without sending traffic from their own machine to the target site. Recommendations: For Verint Impact 360 version 15.1, consider restricting access to the `/wfo/control/signin` API endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the `rd` parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Verint Impact 360 version 15.1 Description: An issue was discovered where the login form at the `/wfo/control/signin` API endpoint can accept submissions from external websites. This can be exploited by attackers to crowdsource brute-force login attempts, potentially compromising valid credentials without sending traffic from their own machine to the target site. Recommendations: For Verint Impact 360 version 15.1, consider restricting access to the `/wfo/control/signin` API endpoint to prevent external submissions until a fix is available. Additionally, monitor login attempts for suspicious activity to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sagemcom F@st 5260 version 0.4.39 **Description** The issue concerns the generation of a Pre-Shared Key (PSK) in WPA mode, which is derived from a 2-part wordlist of known values and a nonce with insufficient entropy. This results in a limited number of possible PSKs, approximately 1.78 billion, making it vulnerable to exploitation. **Recommendations** For Sagemcom F@st 5260 version 0.4.39, consider changing the default PSK generation mechanism to one that uses sufficient entropy to produce a more secure key. As a temporary workaround, manually set a strong and unique PSK to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Budabot versions 0.6 through 4.0 **Description** The issue allows remote attackers to perform a command injection attack against the PHP daemon with a crafted command. This can result in a denial of service or possibly other unspecified impacts. For example, the command "!calc 5 x 5" can be used to demonstrate the issue. The vulnerable code is located in different files depending on the version: in versions before 3.0, it is in modules/HELPBOT MODULE/calc.php, and in versions 3.0 and above, it is in modules/HELPBOT MODULE/HelpbotController.class.php. **Recommendations** For versions 0.6 through 2.x, consider disabling the calc.php file in the modules/HELPBOT MODULE directory until a patch is available. For versions 3.0 through 4.0, consider disabling the HelpbotController.class.php file in the modules/HELPBOT MODULE directory until a patch is available. Restrict access to the `!calc` command in the affected API endpoint until the issue is resolved.