CVE-2014-8389

Name of the Vulnerable Software and Affected Versions AirLive BU-2015 version 1.03.18 AirLive BU-3026 version 1.43 AirLive MD-3025 version 1.81 AirLive WL-2000CAM version LM.1.6.18 AirLive POE-200CAM v2 version LM.1.6.17.01

Description The issue is related to the use of hard-coded credentials in the embedded Boa web server, specifically in the cgi-bin/mft/wireless mft.cgi script. This allows remote attackers to obtain user credentials via crafted HTTP requests. Additionally, the vulnerability is associated with a failure to neutralize special elements used in the operating system command, which can be exploited by a remote attacker to execute arbitrary commands on the device using a specially crafted HTTP request, including the ap parameter.

Recommendations For AirLive BU-2015 version 1.03.18, consider disabling the cgi-bin/mft/wireless mft.cgi script until a patch is available. For AirLive BU-3026 version 1.43, restrict access to the cgi-bin/mft/wireless mft.cgi script to minimize the risk of exploitation. For AirLive MD-3025 version 1.81, avoid using the ap parameter in the affected HTTP requests until the issue is resolved. For AirLive WL-2000CAM version LM.1.6.18, consider disabling the Boa web server until a patch is available. For AirLive POE-200CAM v2 version LM.1.6.17.01, restrict access to the cgi-bin/mft/wireless mft.cgi script to minimize the risk of exploitation.