Xubeining

**Name of the Vulnerable Software and Affected Versions** Tenda CH22 version 1.0.0.1 **Description** A critical issue has been found in the Tenda CH22, affecting the `formaddUserName` function of the file `/goform/addUserName`. The manipulation of the `Password` argument leads to a stack-based buffer overflow. This issue can be exploited remotely. **Recommendations** For Tenda CH22 version 1.0.0.1, as a temporary workaround, consider disabling the `formaddUserName` function until a patch is available. Restrict access to the `/goform/addUserName` endpoint to minimize the risk of exploitation. Avoid using the `Password` argument in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Tenda CH22 version 1.0.0.1 **Description** A critical vulnerability was found in Tenda CH22, affecting the `formNatlimit` function of the file `/goform/Natlimit`. The manipulation of the `page` argument leads to a stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. **Recommendations** As a temporary workaround, consider disabling the `formNatlimit` function until a patch is available. Restrict access to the `/goform/Natlimit` file to minimize the risk of exploitation. Avoid using the `page` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DI-8100 versions up to 20250523 **Description** A critical issue was found in the D-Link DI-8100, affecting the `httpd get parm` function of the `/login.cgi` file in the `jhttpd` component. The manipulation of the `notify` argument leads to a stack-based buffer overflow. This issue can only be exploited within the local network. The exploit has been publicly disclosed and may be used. **Recommendations** For D-Link DI-8100 versions up to 20250523, as a temporary workaround, consider disabling the `httpd get parm` function until a patch is available. Restrict access to the `/login.cgi` file to minimize the risk of exploitation. Avoid using the `notify` argument in the affected component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Tenda FH451 version 1.0.0.9 **Description** A critical issue has been discovered, affecting the `webExcptypemanFilter` function of the file `/goform/webExcptypemanFilter`. The manipulation of the `page` argument leads to a stack-based buffer overflow. This issue can be exploited remotely. **Recommendations** For Tenda FH451 version 1.0.0.9, as a temporary workaround, consider restricting access to the `/goform/webExcptypemanFilter` endpoint to minimize the risk of exploitation. Avoid using the `page` argument in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Tenda A15 version 15.13.07.13 **Description** A vulnerability was found in the function `formArpNerworkSet` of the file `/goform/ArpNerworkSet`. The manipulation leads to denial of service. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For Tenda A15 version 15.13.07.13, as a temporary workaround, consider disabling the `formArpNerworkSet` function until a patch is available. Restrict access to the `/goform/ArpNerworkSet` endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.