Tobias Jäger

**Name of the Vulnerable Software and Affected Versions** SolarEdge mySolarEdge application version prior to 2.20.1 for Android **Description** The issue is related to a certificate verification problem, allowing a Machine-in-the-middle (MitM) attacker to read and alter all network traffic between the application and the server. This could potentially expose sensitive information. **Recommendations** For versions prior to 2.20.1, update to version 2.20.1 or later to resolve the issue. As a temporary workaround, consider restricting network access to trusted sources to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** LXD (affected versions not specified) Ubuntu Server (affected versions not specified) **Description** A feature in LXD affects the default configuration of Ubuntu Server, allowing privileged users in the lxd group to escalate their privilege to root without requiring a sudo password. **Recommendations** For LXD, consider restricting access to the lxd group to minimize the risk of exploitation. For Ubuntu Server, review and modify the default configuration to require a sudo password for privilege escalation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Loxone Miniserver Go Gen.2 versions prior to 14.1.5.9 **Description** The issue allows remote authenticated administrators to inject arbitrary OS commands via the `timezone` parameter in the websocket configuration endpoint. **Recommendations** For versions prior to 14.1.5.9, update to version 14.1.5.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the websocket configuration endpoint to minimize the risk of exploitation. Avoid using the `timezone` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Loxone Miniserver Go Gen.2 versions prior to 14.2 **Description** The issue allows a local user to calculate the root password and escalate privileges due to the root password being calculated using hard-coded secrets and the MAC address. **Recommendations** For versions prior to 14.2, update to version 14.2 or later to resolve the issue. As a temporary workaround, consider restricting local access to the Miniserver to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Loxone Miniserver Go Gen.2 through 14.0.3.28 **Description** The issue allows an authenticated operating system user to escalate privileges via the Sudo configuration, enabling the elevated execution of binaries without a password requirement. **Recommendations** For versions through 14.0.3.28, consider restricting the Sudo configuration to prevent privilege escalation until a patch is available. As a temporary workaround, review and limit the execution of binaries that can be run without a password requirement to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Elements-IT HTTP Commander version 5.3.3 **Description** A Cross-site scripting (XSS) issue in the "View in Browser" feature allows remote authenticated users to inject arbitrary web script or HTML via a crafted SVG image. **Recommendations** For Elements-IT HTTP Commander version 5.3.3, consider disabling the "View in Browser" feature until a patch is available to prevent exploitation of the XSS vulnerability.

**Name of the Vulnerable Software and Affected Versions** Elements-IT HTTP Commander version 5.3.3 **Description** A Directory Traversal issue in the Unzip feature allows remote authenticated users to write files to arbitrary directories via relative paths in ZIP archives. **Recommendations** For Elements-IT HTTP Commander version 5.3.3, consider disabling the Unzip feature until a patch is available to prevent exploitation. Restrict access to sensitive directories to minimize the risk of arbitrary file writing.

**Name of the Vulnerable Software and Affected Versions** Elements-IT HTTP Commander version 5.3.3 **Description** A vulnerability in the "Upload from URL" feature allows remote authenticated users to retrieve HTTP and FTP files from the internal server network by inserting an internal address. **Recommendations** For Elements-IT HTTP Commander version 5.3.3, consider disabling the "Upload from URL" feature until a patch is available to prevent exploitation. Restrict access to internal server networks to minimize the risk of unauthorized file retrieval.

Name of the Vulnerable Software and Affected Versions: homee Brain Cube v2 versions 2.28.2 through 2.28.4 Description: The issue arises from insufficient validation of the firmware image file in the USB firmware update script, allowing an attacker with physical access to install compromised firmware, which can lead to code execution on the device. Recommendations: For homee Brain Cube v2 versions 2.28.2 through 2.28.4, as a temporary workaround, consider restricting physical access to the device until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.