Software

**Name of the Vulnerable Software and Affected Versions** OpenWebif plugin through 1.2.4 for E2 open devices **Description** An issue in the OpenWebif plugin allows an unauthenticated remote attacker to execute arbitrary Python code or OS commands. This is due to the `saveConfig` function in "plugin/controllers/models/config.py" performing an `eval()` call on the contents of the `key` HTTP GET parameter in the "api/saveconfig" endpoint. **Recommendations** For OpenWebif plugin versions through 1.2.4, consider disabling the `saveConfig` function or restricting access to the "api/saveconfig" endpoint until a patch is available. Avoid using the `key` parameter in the affected endpoint to minimize the risk of exploitation.