CVE-2017-17888

Name of the Vulnerable Software and Affected Versions Anti-Web through version 3.8.7

Description The issue allows remote authenticated users to execute arbitrary OS commands via crafted multipart/form-data content. This affects devices from various manufacturers, including NetBiter / HMS, Ouman EH-net, Alliance System WS100 --> AWU 500, Sauter ERW100F001, Carlo Gavazzi SIU-DLG, AEDILIS SMART-1, SYXTHSENSE WebBiter, ABB SREA, and ASCON DY WebServer.

Recommendations For Anti-Web version 3.8.7 and earlier, consider restricting access to the cgi-bin/write.cgi endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the multipart/form-data content type in the affected endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.