Tom Westenberg

**Name of the Vulnerable Software and Affected Versions** GE Reason RT430, RT431, and RT434 GNSS clocks versions prior to 08A06 **Description** The issue is related to a code injection vulnerability. This vulnerability could allow a remote attacker to execute arbitrary code on the system. The vulnerability exists in one of the webpages of the affected devices. **Recommendations** For GE Reason RT430, RT431, and RT434 GNSS clocks versions prior to 08A06, update the firmware to version 08A06 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable webpage to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GE Reason RT430, RT431 & RT434 GNSS clocks versions prior to 08A06 **Description** The issue allows attackers to intercept and decrypt encrypted traffic through an HTTPS connection by having access to the hard-coded cryptographic key. This could potentially compromise the security of the data being transmitted. **Recommendations** For GE Reason RT430, RT431 & RT434 GNSS clocks versions prior to 08A06, update the firmware to version 08A06 or later to resolve the issue. As a temporary workaround, consider restricting access to the HTTPS connection to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MU320E versions prior to v04A00.1 **Description** The software contains a hard-coded password that could allow an attacker to take control of the merging unit using these hard-coded credentials. **Recommendations** For versions prior to v04A00.1, update to version v04A00.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Columbia Weather MicroServer version MS 2.6.9900 **Description** A stored Cross-site scripting (XSS) issue allows remote authenticated users to inject arbitrary web script via the "changestationname.php" endpoint. **Recommendations** For version MS 2.6.9900, consider restricting access to the `changestationname.php` endpoint until a fix is available. As a temporary workaround, avoid using the `changestationname.php` endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Columbia Weather MicroServer version MS 2.6.9900 **Description** The issue allows an authenticated web user to execute commands directly on the underlying operating system due to unsanitized user input in the networkdiags.php file. **Recommendations** For version MS 2.6.9900, consider restricting access to the networkdiags.php file until a patch is available to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** Columbia Weather MicroServer version MS 2.6.9900 **Description** The issue allows an authenticated web user to access an alternative configuration page, specifically the `config main.php` page, which enables manipulation of the device. **Recommendations** For version MS 2.6.9900, restrict access to the `config main.php` page to prevent unauthorized device manipulation.

**Name of the Vulnerable Software and Affected Versions** Columbia Weather MicroServer version MS 2.6.9900 **Description** The issue arises from the BACnet daemon's failure to properly validate input. This could allow a remote attacker to send specially crafted packets, potentially causing the device to become unavailable. **Recommendations** For version MS 2.6.9900, consider disabling the BACnet daemon until a patch is available to prevent potential exploitation.