Thomas Roth

**Name of the Vulnerable Software and Affected Versions** U-Boot (affected versions not specified) **Description** The issue is related to a U-Boot shell vulnerability that results in privilege escalation in a production device. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** u-boot (affected versions not specified) **Description** The issue is related to a bug in u-boot that allows for access to the u-boot shell and interrupt over UART. This is caused by a buffer overflow in memory. An attacker could exploit this to bypass secure boot mechanisms. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** macOS versions prior to 12.3 **Description** A privacy issue existed in the handling of Contact cards due to inadequate state management, potentially allowing a malicious application to access information about a user's contacts. **Recommendations** For versions prior to 12.3, update to macOS Monterey 12.3 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** VOBOT CLOCK versions prior to 0.99.30 **Description** The issue allows man-in-the-middle attackers to spoof servers and obtain sensitive information, and consequently execute arbitrary code, via a crafted certificate. This is possible because devices do not verify X.509 certificates from SSL servers. **Recommendations** For versions prior to 0.99.30, update to version 0.99.30 or later to resolve the issue. As a temporary workaround, consider disabling the use of SSL servers until a patch is available. Restrict access to sensitive information to minimize the risk of exploitation. Avoid using the `--no-check-certificate` option in Wget until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** VOBOT CLOCK versions prior to 0.99.30 **Description** An issue was discovered where an SSH server exists with a hardcoded `vobot` account that has root access. **Recommendations** For versions prior to 0.99.30, update to version 0.99.30 or later to resolve the issue. As a temporary workaround, consider disabling the SSH server or restricting root access to the `vobot` account until a patch is available.

**Name of the Vulnerable Software and Affected Versions** VOBOT CLOCK versions prior to 0.99.30 **Description** An issue allows man-in-the-middle attackers to execute arbitrary code by exploiting the use of cleartext HTTP to download a breakout program. This can be achieved by watching for a local user to launch the Breakout Easter Egg feature and then sending a crafted HTTP response. **Recommendations** For versions prior to 0.99.30, update to version 0.99.30 or later to resolve the issue. As a temporary workaround, consider restricting access to the Breakout Easter Egg feature until the update is applied.

**Name of the Vulnerable Software and Affected Versions** pd-admin versions prior to 4.17 **Description** The issue allows remote authenticated users to inject arbitrary web script or HTML. This can be achieved via the WebFTP Overview "Create new directory" field or the body of an e-mail autoresponder message. **Recommendations** For versions prior to 4.17, update to version 4.17 or later to resolve the issue.