Samuzora

**Name of the Vulnerable Software and Affected Versions** AX53 version 1 **Description** A command injection issue exists in the mscd debug functionality due to inadequate input handling. This allows for log redirection to arbitrary files and the combination of unvalidated file content into shell commands. Successful exploitation could allow an authenticated attacker to inject and execute arbitrary commands, potentially leading to full control of the device. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** AX53 version 1 **Description** The issue stems from inadequate input validation within the device’s probe handling logic. Unvalidated parameters can lead to a stack-based buffer overflow, causing the service to crash. Under certain circumstances, this could allow for remote code execution through complex heap-spray techniques. Successful exploitation may lead to service unavailability and potentially allow an attacker to gain control of the device. The vulnerable component processes parameters without proper sanitization. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Pug versions 3.0.2 and earlier **Description** The issue is related to the incorrect management of code generation in the Pug template engine, specifically in the `compileClient`, `compileFileClient`, and `compileClientWithDependenciesTracked` functions. These functions are used for compiling Pug templates into JavaScript. If an application accepts untrusted input for the name option of these functions, it may allow an attacker to execute arbitrary JavaScript code. Typically, there would be no reason to allow untrusted callers for these functions. **Recommendations** For Pug versions 3.0.2 and earlier, consider disabling the `compileClient`, `compileFileClient`, and `compileClientWithDependenciesTracked` functions until a patch is available to prevent potential code execution. Restrict access to these functions to minimize the risk of exploitation. Avoid using untrusted input for the name option of these functions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.