Theraz0R

**Name of the Vulnerable Software and Affected Versions** D-Link DI-8003 version 16.07.16A1 **Description** A critical issue has been found, affecting the function `dbsrv asp` of the file `/dbsrv.asp`. The manipulation of the argument `str` leads to a stack-based buffer overflow. This issue can be exploited remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For D-Link DI-8003 version 16.07.16A1, as a temporary workaround, consider disabling the `dbsrv asp` function until a patch is available. Restrict access to the `/dbsrv.asp` file to minimize the risk of exploitation. Avoid using the argument `str` in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Tenda AC6 version 15.03.05.19 **Description** A critical issue has been found in the `formWriteFacMac()` function of the `/goform/WriteFacMac` API endpoint. The manipulation of the `mac` parameter leads to command injection. This issue can be exploited remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For Tenda AC6 version 15.03.05.19, as a temporary workaround, consider disabling the `formWriteFacMac()` function until a patch is available. Restrict access to the `/goform/WriteFacMac` API endpoint to minimize the risk of exploitation. Avoid using the `mac` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DI-8003 version 16.07.16A1 **Description** A critical issue has been found in the `upgrade filter asp` function of the `/upgrade filter.asp` file. The manipulation of the `path` argument leads to a stack-based buffer overflow. This issue can be exploited remotely. The exploit has been disclosed publicly and may be used. **Recommendations** For D-Link DI-8003 version 16.07.16A1, as a temporary workaround, consider disabling the `upgrade filter asp` function until a patch is available. Restrict access to the `/upgrade filter.asp` file to minimize the risk of exploitation. Avoid using the `path` argument in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Tenda AC15 version 15.03.05.19 **Description** A critical vulnerability has been found in the function `SetDlnaCfg` of the file `/goform/SetDlnaCfg`. The manipulation of the argument `scanList` leads to a stack-based buffer overflow. This issue can be exploited remotely, allowing an attacker to execute arbitrary code by injecting a specially crafted command. The exploit has been disclosed to the public. **Recommendations** For Tenda AC15 version 15.03.05.19, as a temporary workaround, consider disabling the `SetDlnaCfg` function until a patch is available. Restrict access to the `/goform/SetDlnaCfg` endpoint to minimize the risk of exploitation. Avoid using the `scanList` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Tenda AC6 version 15.03.05.19 **Description** A critical issue affects the function `formSetDeviceName` of the file `/goform/SetOnlineDevName`, where the manipulation of the argument `devName` leads to a stack-based buffer overflow. This can be exploited remotely, potentially allowing an attacker to execute arbitrary code or cause a denial of service. The issue is related to the handling of parameters `mac` and `devName`, which can cause the operation to exceed the buffer boundaries in memory. **Recommendations** For Tenda AC6 version 15.03.05.19, as a temporary workaround, consider disabling the `formSetDeviceName` function until a patch is available. Restrict access to the `/goform/SetOnlineDevName` file to minimize the risk of exploitation. Avoid using the parameter `devName` in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DI-8003 version 16.07.16A1 **Description** A critical issue has been identified, affecting the function `upgrade filter asp` of the file `/upgrade filter.asp`. The manipulation of the argument `path` leads to os command injection. This issue can be exploited remotely. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited. **Recommendations** For D-Link DI-8003 version 16.07.16A1, as a temporary workaround, consider disabling the `upgrade filter asp` function until a patch is available. Restrict access to the `/upgrade filter.asp` file to minimize the risk of exploitation. Avoid using the `path` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Tenda AC15 version 15.03.05.19 **Description** A critical issue affects the function `formSetDeviceName` of the file `/goform/SetOnlineDevName`. The manipulation of the argument `devName` leads to a stack-based buffer overflow in the memory. This can be exploited remotely, allowing an attacker to potentially execute arbitrary code or cause a denial of service. The exploit for this issue has been publicly disclosed. **Recommendations** For Tenda AC15 version 15.03.05.19, as a temporary workaround, consider disabling the `formSetDeviceName` function until a patch is available. Restrict access to the `/goform/SetOnlineDevName` endpoint to minimize the risk of exploitation. Avoid using the parameter `devName` in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.