Yun Zhang

**Name of the Vulnerable Software and Affected Versions** D-Link DIR-823X version 250416 **Description** A flaw exists in D-Link DIR-823X 250416 that allows for command injection. This occurs due to a manipulation of the `wd enable` argument within the `sub 412E7C` function of the `/goform/set wifidog settings` file. The attack can be carried out remotely. The exploit is publicly available. **Recommendations** Apply any available updates to address the issue in the affected version. As a temporary workaround, consider restricting access to the `/goform/set wifidog settings` file. Avoid manipulating the `wd enable` argument in the `/goform/set wifidog settings` file.

**Name of the Vulnerable Software and Affected Versions** D-Link DI-8200G version 17.12.20A1 **Description** A flaw exists in D-Link DI-8200G version 17.12.20A1 that allows for command injection. The issue is related to the manipulation of the `path` argument within an unknown function of the `/upgrade filter.asp` file. This allows for remote attacks. The exploit for this issue has been publicly released. **Recommendations** For D-Link DI-8200G version 17.12.20A1, restrict access to the `/upgrade filter.asp` file. As a temporary workaround, consider disabling the affected function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** UTT 进取 512W versions through 1.7.7-171114 **Description** A buffer overflow issue exists in the `strcpy` function within the `/goform/formP2PLimitConfig` file. Manipulation of the `except` argument can lead to a buffer overflow. This issue is potentially exploitable remotely. The exploit has been publicly disclosed. The vendor was notified but did not respond. **Recommendations** Versions prior to 1.7.7-171114 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Tenda AC20 versions up to 16.03.08.12 **Description** A buffer overflow exists in the Tenda AC20 router. The issue is located in an unknown function within the `/goform/WifiExtraSet` file. Manipulation of the `wpapsk crypto` argument can trigger the overflow, allowing for remote code execution. The exploit for this issue is publicly available. **Recommendations** Versions up to 16.03.08.12 should be updated to a newer, secure version as soon as possible. As a temporary workaround, restrict access to the `/goform/WifiExtraSet` endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** D-Link DI-7001 MINI versions 19.09.19A1 through 24.04.18B1 **Description** A flaw exists in D-Link DI-7001 MINI that allows for command injection. This occurs due to improper handling of the `cmd` argument within an unknown function of the `/msp info.htm` file. An attacker can leverage this to execute commands remotely. The exploit for this issue is publicly available. **Recommendations** D-Link DI-7001 MINI versions 19.09.19A1 through 24.04.18B1: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Campcodes Online Apartment Visitor Management System version 1.0 **Description** A SQL injection issue exists in Campcodes Online Apartment Visitor Management System version 1.0. The issue is located in the file `/admin-profile.php` and involves manipulation of the `mobilenumber` argument. Remote exploitation is possible. The exploit has been made public. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DI-7001 MINI version 24.04.18B1 **Description** A security issue exists in D-Link DI-7001 MINI. Manipulation of the `str` argument within an unknown function of the `/dbsrv.asp` file can lead to a buffer overflow. This issue may be exploited remotely. The exploit has been publicly disclosed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DI-7001 MINI version 24.04.18B1 **Description** A flaw exists in D-Link DI-7001 MINI version 24.04.18B1. The issue involves manipulation of the `path` argument within the file `/upgrade filter.asp`, leading to os command injection. This manipulation occurs in an unknown function. The attack can be initiated remotely, and an exploit is publicly available. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ruijie NBR2100G-E versions up to 20250919 **Description** A security flaw exists in Ruijie NBR2100G-E. The issue is related to os command injection. This occurs through manipulation of the `city` argument in the `listAction` function within the file '/itbox pi/branch passw.php?a=list'. The attack can be carried out remotely. The exploit has been publicly released. Other parameters may also be affected. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Campcodes Computer Sales and Inventory System version 1.0 **Description** A security issue exists in Campcodes Computer Sales and Inventory System 1.0. The vulnerability is related to the manipulation of the `ID` argument within the file '/pages/us edit1.php', leading to a SQL injection. Remote exploitation is possible, and the exploit has been publicly disclosed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.