Strik3R

**Name of the Vulnerable Software and Affected Versions** Clavister E10 and E80 versions up to 14.00.10 **Description** A vulnerability was found in the Setting Handler component, leading to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For Clavister E10 and E80 versions up to 14.00.10, upgrade to version 14.00.11 to address this issue. As a temporary workaround, consider disabling the Setting Handler component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Zebra ZTC GK420d version 1.0 **Description** A problematic issue was found in the Alert Setup Page component, specifically affecting the /settings file. The manipulation of the `Address` argument leads to cross-site scripting. This issue can be initiated remotely. The exploit has been disclosed publicly. **Recommendations** For Zebra ZTC GK420d version 1.0, as a temporary workaround, consider restricting access to the Alert Setup Page or disabling the manipulation of the `Address` argument until a fix is available.

**Name of the Vulnerable Software and Affected Versions** Clavister E10 and E80 versions up to 14.00.10 **Description** A vulnerability has been found in the Misc Settings Page component, affecting the file /?Page=Node&OBJ=/System/AdvancedSettings/DeviceSettings/MiscSettings. The manipulation of the arguments `WatchdogTimerTime`, `BufFloodRebootTime`, `MaxPipeUsers`, `AVCache Lifetime`, `HTTPipeliningMaxReq`, `Reassembly MaxConnections`, `Reassembly MaxProcessingMem`, and `ScrSaveTime` leads to cross-site scripting. The attack can be initiated remotely. **Recommendations** For Clavister E10 and E80 versions up to 14.00.10, upgrade to version 14.00.11 to address this issue. As a temporary workaround, consider restricting access to the Misc Settings Page component until the upgrade is applied. Avoid using the vulnerable arguments in the affected file until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** GARO WALLBOX GLB+ T2EV7 version 0.5 **Description** A problematic issue was found in the Software Update Handler component, affecting an unknown part of the file /index.jsp#settings. The manipulation of the `Reference` argument leads to cross-site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. **Recommendations** For GARO WALLBOX GLB+ T2EV7 version 0.5, as a temporary workaround, consider restricting access to the `/index.jsp#settings` endpoint until a patch is available. Avoid using the `Reference` argument in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** SourceCodester House Rental Management System version 1.0 **Description** A vulnerability has been found in the Manage Invoice Details component, where the manipulation of the `Invoice` argument leads to cross-site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For SourceCodester House Rental Management System version 1.0, consider disabling the Manage Invoice Details component until a patch is available. Restrict access to this component to minimize the risk of exploitation. Avoid using the `Invoice` argument in affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SourceCodester House Rental Management System version 1.0 **Description** A problematic issue has been found in the processing of the file index.php, where the manipulation of the `page` argument leads to cross site scripting. The attack can be initiated remotely. **Recommendations** For SourceCodester House Rental Management System version 1.0, consider restricting access to the index.php file until a patch is available. As a temporary workaround, avoid using the `page` argument in the affected file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** SourceCodester House Rental Management System version 1.0 **Description** A problematic issue was found in the Manage Tenant Details component. The manipulation of the `Name` argument leads to cross-site scripting. It is possible to launch the attack remotely. **Recommendations** For SourceCodester House Rental Management System version 1.0, consider restricting access to the Manage Tenant Details component until a patch is available. As a temporary workaround, avoid using the `Name` argument in the affected component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** SourceCodester House Rental Management System version 1.0 **Description** A critical issue was found in the SourceCodester House Rental Management System, affecting some unknown functionality of the file manage user.php of the component Edit User. The manipulation of the `id`, `name`, or `username` argument leads to SQL injection. The attack can be launched remotely. **Recommendations** For version 1.0, consider disabling the `manage user.php` file or restricting access to the Edit User component until a patch is available. As a temporary workaround, avoid using the `id`, `name`, or `username` arguments in the affected functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Student Attendance System version 1.0 **Description** A critical vulnerability was found in the SourceCodester Student Attendance System. The issue affects an unknown function of the file attendance report.php. The manipulation of the `class id` argument leads to SQL injection. The exploit has been disclosed to the public and may be used. **Recommendations** For SourceCodester Student Attendance System version 1.0, consider disabling the affected function in attendance report.php until a patch is available. Restrict access to the attendance report.php file to minimize the risk of exploitation. Avoid using the `class id` argument in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Elenos ETG150 FM transmitter version 3.12 **Description** The issue is related to improper access control, allowing attackers to make arbitrary configuration edits that are normally only accessible by privileged users. **Recommendations** For Elenos ETG150 FM transmitter version 3.12, consider restricting access to configuration edit features until a patch is available. As a temporary workaround, limit the privileges of non-administrative users to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Elenos ETG150 FM Transmitter version 3.12 **Description** The issue is related to insufficient session expiration, allowing attackers to change transmitter configuration and data after a user has logged out. **Recommendations** For Elenos ETG150 FM Transmitter version 3.12, consider implementing proper session expiration mechanisms to prevent unauthorized access after logout. As a temporary workaround, restrict access to the transmitter configuration and data to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Elenos ETG150 FM transmitter version 3.12 **Description** A lack of rate limiting in the Elenos ETG150 FM transmitter allows attackers to obtain user credentials via brute force and cause other unspecified impacts. **Recommendations** For Elenos ETG150 FM transmitter version 3.12, consider implementing rate limiting on login attempts to prevent brute force attacks until a patch is available. As a temporary workaround, restrict access to the login functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Elenos ETG150 FM transmitter version 3.12 **Description** An issue in the Elenos ETG150 FM transmitter allows attackers to enumerate user accounts based on server responses when credentials are submitted. **Recommendations** For Elenos ETG150 FM transmitter version 3.12, consider restricting access to the server until a patch is available to prevent user account enumeration. As a temporary workaround, avoid submitting credentials to the server to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Elenos ETG150 FM transmitter version 3.12 **Description** An Insecure Direct Object Reference (IDOR) issue allows access to events profiles. **Recommendations** For Elenos ETG150 FM transmitter version 3.12, consider restricting access to sensitive events profiles until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** GatesAIr Flexiva FM Transmitter/Exiter Fax 150W (affected versions not specified) **Description** The issue allows a remote attacker to gain privileges via the LDAP and SMTP credentials. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GatesAIr Flexiva FM Transmitter/Exciter version FAX 150W **Description** The issue allows a remote attacker to execute arbitrary code via a crafted script to the web application dashboard. This is a Cross Site Scripting vulnerability. **Recommendations** For GatesAIr Flexiva FM Transmitter/Exciter version FAX 150W, consider disabling access to the web application dashboard until a fix is available. Restrict the use of the dashboard to minimize the risk of exploitation. Avoid using the dashboard with untrusted input until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Elenos ETG150 FM transmitter version 3.12 **Description** The issue is related to improper access control, which can lead to privilege escalation. This can be exploited by utilizing a user's role in their profile. In some cases, an attack could be conducted over the public Internet. The vulnerability is also associated with deficiencies in access control in the Memcached service of the Elenos ETG150 FM transmitter's firmware, allowing a remote attacker to potentially elevate their privileges. **Recommendations** For Elenos ETG150 FM transmitter version 3.12, consider restricting access to the user profile and `user role` to minimize the risk of exploitation until a patch is available. As a temporary workaround, limit the use of the Memcached service to reduce the attack surface. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Elenos ETG150 FM transmitter version 3.12 **Description** The issue is related to insufficient protection of service data, allowing an attacker to gain unauthorized access to sensitive information. This can be exploited by accessing the publicly accessible Memcached service, potentially over the public Internet. The leak includes SMTP credentials and other sensitive information. **Recommendations** For Elenos ETG150 FM transmitter version 3.12, consider restricting access to the Memcached service to minimize the risk of exploitation. As a temporary workaround, limit public Internet access to the transmitter until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Elenos ETG150 FM transmitter version 3.12 **Description** The issue is related to improper access control, which can be exploited to add a high-privilege user by leveraging the user's role within the admin profile. This can potentially be done over the public Internet. The vulnerability is associated with software deficiencies in access control. **Recommendations** For version 3.12, consider restricting access to the admin profile to minimize the risk of exploitation until a patch is available. As a temporary workaround, review and limit user roles within the admin profile to prevent unauthorized privilege escalation.