Víctor Bello Cuevas

Name of the Vulnerable Software and Affected Versions: CIRCUTOR TCP2RS+ version 1.3b Description: The issue allows an attacker to modify any configuration value without authentication by sending packets through the UDP protocol and port 2000, deconfiguring the device and thus disabling its use. This is possible even if the device has the user/password authentication option enabled. The equipment is at the end of its useful life cycle. Recommendations: For version 1.3b, consider restricting access to port 2000 to minimize the risk of exploitation, and avoid using the UDP protocol for configuration changes until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: CIRCUTOR TCP2RS+ version 1.3b Description: The issue allows an attacker to modify any configuration value without authentication by sending packets through the UDP protocol and port 2000, deconfiguring the device and thus disabling its use, even if the device has the user/password authentication option enabled. This equipment is at the end of its useful life cycle. Recommendations: For version 1.3b, as a temporary workaround, consider restricting access to the UDP protocol and port 2000 until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: CIRCUTOR Q-SMT version 1.0.4 Description: An attacker with access to the network where the CIRCUTOR Q-SMT is located could obtain legitimate credentials or steal sessions due to the fact that the device only implements the HTTP protocol, preventing a secure communication channel from being established. Recommendations: For version 1.0.4, consider disabling the use of the HTTP protocol until a patch is available, and restrict access to sensitive data to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Software (affected versions not specified) **Description** An attacker with access to the web application that has the vulnerable software could introduce arbitrary JavaScript by injecting a cross-site scripting payload into the `autorefresh` parameter. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** The issue involves a cross-site request forgery token in the request that may be predictable or easily guessable, allowing attackers to craft a malicious request. This could be triggered by a victim unknowingly, leading to the victim user carrying out an action unintentionally in a successful attack. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Westermo Lynx (affected versions not specified) **Description** A potential attacker with access to the Westermo Lynx device may be able to execute malicious code that could affect the correct functioning of the device. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Software (affected versions not specified) **Description** An attacker with access to the web application with vulnerable software could introduce arbitrary JavaScript by injecting a cross-site scripting payload into the `dns.0.server` parameter. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Westermo Lynx (affected versions not specified) **Description** An attacker with access to the Westermo Lynx web application could introduce arbitrary JavaScript by injecting a cross-site scripting payload into the `forward.0.domain` parameter. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Westermo Lynx (affected versions not specified) **Description** A potential attacker with access to the Westermo Lynx device could execute malicious code, affecting the device's correct functioning. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Westermo Lynx 206-F2G (affected versions not specified) **Description** An attacker with access to the network where the affected devices are located could maliciously take actions to obtain, via a sniffer, sensitive information exchanged via TCP communications. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.