Trango devices all have a built-in, hidden root account, with a default password that is the same across many devices and software revisions. This account is accessible via ssh and grants access to the underlying embedded unix OS on the device, allowing full control over it. Recent software updates for some models have changed this password, but have not removed this backdoor.
986abf819296c00b665c64e80363c5675da033cc02cc865611fe61a308c341d2
When serializing JavaScript objects for sending to another window using the postMessage method, the code in blink does not handle Symbol objects correctly and attempts to serialize this kind of object as a regular object, which results in a bad cast. An attacker that can trigger this issue may be able to execute arbitrary code. Chrome version 38 is affected.
62430de9384e1fc1e44dd85ff62388f8415cb6ba8958ab0623f192a275046d1c