Amir Zaltzman

**Name of the Vulnerable Software and Affected Versions** XWEB Pro versions 1.12.1 and earlier **Description** A flaw exists that allows a logged-in attacker to execute code on the system remotely. This is achieved by injecting malicious input into the `username` and/or `password` fields within the restore action located at the `/api/V1` endpoint. **Recommendations** Versions prior to 1.12.1 should be updated.

**Name of the Vulnerable Software and Affected Versions** XWEB Pro versions 1.12.1 and earlier **Description** A flaw exists that allows a logged-in attacker to execute code on a system remotely. This is achieved by altering harmful input within the URL of the MBird SMS service and/or code through the utility path. This input is then processed during system configuration, resulting in remote code execution. The vulnerability is an OS command injection. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** XWEB Pro versions prior to 1.12.1 **Description** A flaw exists that allows a logged-in attacker to execute code remotely on a system. This is achieved by injecting malicious input into requests sent to the `/templates` route. The issue is an OS command injection. **Recommendations** Update to a version newer than 1.12.1.

**Name of the Vulnerable Software and Affected Versions** XWEB Pro versions prior to 1.12.1 **Description** An operating system command injection issue exists that allows an authenticated attacker to execute code remotely. This is achieved by injecting malicious input into the map filename field during the map upload action of the parameters route. **Recommendations** Update to a version of XWEB Pro later than 1.12.1.

**Nome do Software Vulnerável e Versões Afetadas** XWEB Pro versões 1.12.1 e anteriores **Descrição** Existe uma falha que permite a um atacante autenticado executar código remotamente em um sistema. Isso é realizado mediante a injeção de entrada maliciosa no campo `devices` na ação de atualização de firmware. A injeção resulta em execução remota de código. **Recomendações** Atualize o XWEB Pro para uma versão superior à 1.12.1.

**Nome do Software Vulnerável e Versões Afetadas** Versões do Copeland XWEB Pro anteriores à 1.12.1 **Descrição** Um bypass de autenticação permite que atacantes contornem o requisito de autenticação e obtenham execução de código sem autenticação no sistema. A falha permite exploração remota via rede sem exigir acesso prévio ou interação do usuário. **Recomendações** Atualize para uma versão posterior à 1.12.1.

**Name of the Vulnerable Software and Affected Versions** XWEB Pro versions prior to 1.12.1 **Description** An operating system command injection issue exists, allowing an authenticated attacker to execute code remotely. This is achieved by submitting crafted input to the firmware update route. The issue affects systems running the vulnerable software. **Recommendations** Update to a version newer than 1.12.1.

**Nome do Software Vulnerável e Versões Afetadas** Versões do XWEB Pro anteriores à 1.12.1 **Descrição** Um atacante não autenticado pode executar comandos no sistema remotamente. Isso é possível mediante o envio de uma requisição especialmente elaborada para a rota de instalação das bibliotecas e a injeção de entrada maliciosa no corpo da requisição. A aplicação processa as requisições de maneira inadequada, permitindo a execução remota de código (RCE). **Recomendações** As versões anteriores à 1.12.1 devem ser atualizadas.

**Name of the Vulnerable Software and Affected Versions** XWEB Pro versions 1.12.1 and earlier **Description** A flaw exists that allows a logged-in attacker to execute code remotely on a system. This is possible by injecting malicious input into the `devices` field within the firmware update apply action. The issue is an OS command injection. **Recommendations** Update XWEB Pro to a version later than 1.12.1.

**Name of the Vulnerable Software and Affected Versions** XWEB Pro versions prior to 1.12.1 **Description** A flaw exists that allows a logged-in attacker to execute code remotely on a system. This is achieved by injecting harmful input into OpenSSL argument fields within requests sent to the utility route. The vulnerability leads to remote code execution. **Recommendations** Update to a version later than 1.12.1.

**Name of the Vulnerable Software and Affected Versions** Copeland XWEB Pro versions prior to 1.12.1 **Description** A flaw exists that allows an authentication bypass due to improper handling of return values from the authentication routine. The software processes an unexpected return value as legitimate, bypassing authentication controls. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Nome do Software Vulnerável e Versões Afetadas** Versões do XWEB Pro anteriores à 1.12.1 **Descrição** Existe uma falha que permite a um atacante autenticado executar código remotamente em um sistema. Isso é possível ao injetar entrada maliciosa no campo `devices` ao acessar o endpoint da API `/get setup`. Isso resulta em execução remota de código. **Recomendações** Atualize para uma versão superior à 1.12.1.

**Name of the Vulnerable Software and Affected Versions** XWEB Pro versions prior to 1.12.1 **Description** An OS command injection issue exists that allows a logged-in attacker to execute code remotely on the system. This is achieved by submitting crafted input to the restore route. The `restore` route is susceptible to command injection due to improper input validation. The vulnerable parameter is not specified. **Recommendations** Update XWEB Pro to a version later than 1.12.1.

**Name of the Vulnerable Software and Affected Versions** XWEB Pro versions 1.12.1 and earlier **Description** An operating system command injection issue exists in XWEB Pro. A successful exploit allows an authenticated attacker to execute code remotely on the system by providing a manipulated firmware update file through the firmware update path. The vulnerable component is the firmware update route. The vulnerable parameter is the firmware update file. **Recommendations** Versions prior to 1.12.1 should be updated.

**Name of the Vulnerable Software and Affected Versions** XWEB Pro versions prior to 1.12.1 **Description** An OS command injection issue exists, allowing an authenticated attacker to execute code remotely. This is achieved by providing malicious input through the device hostname configuration during system setup. The system processes this input, leading to remote code execution. **Recommendations** Update to a version later than 1.12.1.

**Nome do Software Vulnerável e Versões Afetadas** XWEB Pro versões anteriores à 1.12.1 **Descrição** Existe um estouro de buffer baseado em pilha em uma rota de API do XWEB Pro. Isso permite que atacantes não autenticados causem corrupção da pilha e encerramento do programa. A rota de API vulnerável não está especificada. **Recomendações** Atualize o XWEB Pro para a versão 1.12.1 ou superior.

**Name of the Vulnerable Software and Affected Versions** XWEB Pro versions prior to 1.12.1 **Description** An arbitrary file-read issue exists in XWEB Pro, potentially allowing unauthenticated attackers to read arbitrary files on the system. This could lead to a denial-of-service attack. **Recommendations** Update XWEB Pro to version 1.12.1 or later.

**Name of the Vulnerable Software and Affected Versions** XWEB Pro versions prior to 1.12.1 **Description** A flaw exists that allows a logged-in attacker to execute code on the system. This is possible by submitting crafted input into the username field of the import preconfiguration action via the API V1 route. The affected API endpoint is '/api/V1'. The vulnerable parameter is `username`. **Recommendations** Update to a version newer than 1.12.1.

**Name of the Vulnerable Software and Affected Versions** XWEB Pro versions prior to 1.12.1 **Description** An operating system command injection issue exists in XWEB Pro, allowing an authenticated attacker to execute code remotely on the system. This is achieved by providing a manipulated template file to the `/devices` route. The `template file` is the source of the injection. **Recommendations** Update to a version later than 1.12.1.

**Name of the Vulnerable Software and Affected Versions** XWEB Pro versions prior to 1.12.1 **Description** A flaw exists that allows a logged-in attacker to execute code on the system remotely. This is achieved by configuring a specially crafted LCD state, which is then processed during system setup. The vulnerability is an OS command injection. **Recommendations** Update to a version newer than 1.12.1.