Wentao Yang

**Name of the Vulnerable Software and Affected Versions** Vitogate 300 version 2.1.3.0 **Description** The issue allows an unauthenticated attacker to bypass authentication and execute arbitrary commands via shell metacharacters in the `ipaddr` params JSON data for the put method in the `/cgi-bin/vitogate.cgi` API endpoint. **Recommendations** For Vitogate 300 version 2.1.3.0, as a temporary workaround, consider disabling the `/cgi-bin/vitogate.cgi` API endpoint or restricting access to it until a patch is available. Avoid using the `ipaddr` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Digital China Networks DCFW-1800-SDC version 3.0 **Description** The issue allows an authenticated attacker to execute arbitrary code via the wget function in the /sbin/cloudadmin.sh component. This is a result of a File Upload vulnerability. **Recommendations** For Digital China Networks DCFW-1800-SDC version 3.0, consider disabling the wget function in the /sbin/cloudadmin.sh component as a temporary workaround until a patch is available. Restrict access to the /sbin/cloudadmin.sh component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.