Sivertpl

**Name of the Vulnerable Software and Affected Versions** VideoLAN VLC versions prior to 2.2.5 **Description** The issue is related to a potential heap-based buffer overflow in the ParseJSS function. This occurs when the function skips the NULL terminator in an input string, allowing attackers to execute arbitrary code. The exploitation vector is a crafted subtitles file. **Recommendations** For versions prior to 2.2.5, update to version 2.2.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** NETGEAR DGN2200 routers versions 10.0.0.20 through 10.0.0.50 **Description** A cross-site request forgery (CSRF) issue allows remote attackers to hijack user authentication for requests that perform DNS lookups via the `host name` parameter to "dnslookup.cgi" API endpoint. This can potentially be combined with other issues to execute arbitrary code remotely. **Recommendations** For versions 10.0.0.20 through 10.0.0.50, consider restricting access to the "dnslookup.cgi" API endpoint to minimize the risk of exploitation. Avoid using the `host name` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NETGEAR DGN2200 versions through 10.0.0.50 **Description** The issue allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the `ping IPAddr` field of an HTTP POST request to the ping.cgi endpoint. This is due to the lack of measures to neutralize special elements used in the operating system command. Exploitation of the issue may allow a remote attacker to execute arbitrary commands on the router's operating system and gain full control over the device. **Recommendations** For versions through 10.0.0.50, consider disabling the ping.cgi endpoint until a patch is available to prevent exploitation. Restrict access to the ping.cgi endpoint to minimize the risk of exploitation. Avoid using the `ping IPAddr` parameter in the POST request to the ping.cgi endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** NETGEAR DGN2200 devices with firmware through 10.0.0.50 **Description** The issue exists due to the lack of neutralization of special elements used in the operating system command. This can be exploited by a remote attacker to execute arbitrary OS commands on the router and gain full control over the device by using metacharacters in the `ping IPAddr` parameter of a POST request or the `host name` field of an HTTP POST request in `dnslookup.cgi`. **Recommendations** For NETGEAR DGN2200 devices with firmware through 10.0.0.50, consider restricting access to the `dnslookup.cgi` and `ping.cgi` scripts until a patch is available. As a temporary workaround, avoid using the `host name` field in the `dnslookup.cgi` HTTP POST request and the `ping IPAddr` parameter in the `ping.cgi` POST request until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.