CVE-2017-8835

Name of the Vulnerable Software and Affected Versions Peplink Balance versions prior to 7.0.1-build2093

Description The issue allows for SQL injection, which can be exploited through the bauth cookie in the /cgi-bin/MANGA/admin.cgi API endpoint. This can lead to the enumeration of user accounts by observing whether a session ID can be retrieved from the sessions database.

Recommendations For Peplink Balance versions prior to 7.0.1-build2093, update to firmware version 7.0.1-build2093 or later to resolve the issue. As a temporary workaround, consider restricting access to the /cgi-bin/MANGA/admin.cgi API endpoint to minimize the risk of exploitation. Avoid using the bauth cookie in this endpoint until the issue is resolved.