Shravan Singh

Name of the Vulnerable Software and Affected Versions: Panasonic IR Control Hub (IR Blaster) versions 1.17 and earlier Description: The issue allows an attacker with physical access to load unauthorized firmware onto the device. Recommendations: For versions 1.17 and earlier, update to a version later than 1.17 to prevent unauthorized firmware loading. As a temporary workaround, consider restricting physical access to the device until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Tinxy smart devices (affected versions not specified) **Description** The issue exists due to the storage of credentials in plaintext within the device firmware. An attacker with physical access could exploit this by extracting the firmware and analyzing the binary data to obtain the plaintext credentials stored on the vulnerable device. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Tapo C500 Wi-Fi camera (affected versions not specified) **Description** This issue exists due to a hard-coded RSA private key embedded within the device firmware. An attacker with physical access could exploit this to obtain cryptographic private keys, which can then be used for impersonation, data decryption, and man-in-the-middle attacks on the targeted device. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CP Plus Router (affected versions not specified) **Description** This issue exists due to insecure handling of cookie flags used within the web interface of the CP Plus Router. A remote attacker could exploit this by intercepting data transmissions during an HTTP session on the vulnerable system. Successful exploitation could allow the attacker to obtain sensitive information and compromise the targeted system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Tinxy mobile app (affected versions not specified) **Description** This issue exists due to the storage of logged-in user information in plaintext on the device database. An attacker with physical access to the rooted device could exploit this by accessing its database, leading to unauthorized access of user information such as `username`, `email address`, and `mobile number`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TP-Link IoT Smart Hub (affected versions not specified) **Description** The issue exists due to the storage of Wi-Fi credentials in plain text within the device firmware. An attacker with physical access could exploit this by extracting the firmware and analyzing the binary data to obtain the Wi-Fi credentials stored on the vulnerable device. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Philips lighting devices (affected versions not specified) **Description** This issue is related to the storage of Wi-Fi credentials in plain text within the device firmware of Philips lighting devices. An attacker with physical access could exploit this by extracting the firmware and analyzing the binary data to obtain the plaintext Wi-Fi credentials stored on the vulnerable device. Successful exploitation could allow an attacker to gain unauthorized access to the Wi-Fi network to which the vulnerable device is connected. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SyroTech SY-GPON-1110-WDONT Router (affected versions not specified) **Description** This issue exists due to a missing HTTPOnly flag for the session cookies associated with the router's web management interface. An attacker with remote access could exploit this by intercepting transmission within an HTTP session on the vulnerable system. Successful exploitation could allow the attacker to capture cookies and obtain sensitive information on the targeted system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SyroTech SY-GPON-1110-WDONT Router (affected versions not specified) **Description** The issue arises from a missing secure flag for session cookies associated with the router's web management interface. An attacker with remote access could exploit this by intercepting transmission within an HTTP session on the vulnerable system. Successful exploitation could allow the attacker to capture cookies and compromise the targeted system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SyroTech SY-GPON-1110-WDONT Router (affected versions not specified) **Description** This issue exists due to the storage of default `username` and `password` credentials in plaintext within the router's firmware/database. An attacker with physical access could exploit this by extracting the firmware and reverse-engineering the binary data to access the plaintext default credentials. Successful exploitation could allow the attacker to gain unauthorized access to the targeted system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SyroTech SY-GPON-1110-WDONT Router (affected versions not specified) **Description** The issue arises from the improper implementation of password policies. A local attacker could exploit this by creating passwords that do not adhere to the defined security standards or policy on the vulnerable system. Successful exploitation could allow the attacker to expose the router to potential security threats. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SyroTech SY-GPON-1110-WDONT Router (affected versions not specified) **Description** The issue exists due to the presence of root terminal access on a serial interface without proper access control. An attacker with physical access could exploit this by accessing the root shell on the vulnerable system. Successful exploitation could allow the attacker to execute arbitrary commands with root privileges on the targeted system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SyroTech SY-GPON-1110-WDONT Router (affected versions not specified) **Description** The issue arises from the transmission of passwords in plain text. A remote attacker could exploit this by intercepting the transmission within an HTTP session on the vulnerable system. Successful exploitation could allow the attacker to gain unauthorized access to the targeted system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SyroTech SY-GPON-1110-WDONT Router (affected versions not specified) **Description** This issue exists due to the unencrypted storage of WPA/WPS credentials within the router's firmware/database. An attacker with physical access could exploit this by extracting the firmware and reverse-engineering the binary data to access the plaintext WPA/WPS credentials. Successful exploitation could allow the attacker to bypass WPA/WPS and gain access to the Wi-Fi network of the targeted system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SyroTech SY-GPON-1110-WDONT Router (affected versions not specified) **Description** This issue exists due to the storage of FTP credentials in plaintext within the SquashFS-root filesystem associated with the router's firmware. An attacker with physical access could exploit this by extracting the firmware and reverse engineering the binary data to access the plaintext FTP credentials. Successful exploitation could allow the attacker to gain unauthorized access to the FTP server associated with the targeted system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Digisol Router (DG-GR1321) version v3.2.02 **Description** This issue is caused by the improper implementation of password policies. An attacker with physical access could exploit this by creating passwords that do not adhere to the defined security standards or policy on the vulnerable system. Successful exploitation could allow the attacker to expose the router to potential security threats. **Recommendations** For Digisol Router (DG-GR1321) version v3.2.02, consider changing the password policy to enforce stronger passwords and adhere to defined security standards to minimize the risk of exploitation. As a temporary workaround, restrict physical access to the router until a patch or fix is available.

**Name of the Vulnerable Software and Affected Versions** Digisol Router (DG-GR1321) version v3.2.02 **Description** This issue exists due to the presence of root terminal access on a serial interface without proper access control. An attacker with physical access could exploit this by identifying UART pins and accessing the root shell on the vulnerable system. Successful exploitation could allow the attacker to access sensitive information on the targeted system. **Recommendations** For Digisol Router (DG-GR1321) version v3.2.02, consider restricting physical access to the device to minimize the risk of exploitation. As a temporary workaround, limiting access to the serial interface could help mitigate the issue until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Digisol Router (DG-GR1321) version v3.2.02 **Description** This issue is caused by the lack of encryption or hashing in storing passwords within the router's firmware/database. An attacker with physical access could exploit this by extracting the firmware and reverse-engineering the binary data to access plaintext passwords. Successful exploitation could allow the attacker to gain unauthorized access to the targeted system. **Recommendations** For Digisol Router (DG-GR1321) version v3.2.02, consider changing passwords and restricting physical access to the device until a patch is available. As a temporary workaround, restrict access to the router's firmware and database to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SyroTech SY-GPON-1110-WDONT Router (affected versions not specified) **Description** This issue is related to the lack of encryption in storing usernames and passwords within the router's firmware/database. An attacker with physical access could exploit this by extracting the firmware and reverse engineering the binary data to access the plaintext credentials on the vulnerable system. Successful exploitation could allow the attacker to gain unauthorized access to the targeted system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.