Aidaho12

**Name of the Vulnerable Software and Affected Versions** Roxy-WI versions prior to 6.3.5.0 **Description** The issue is related to a limited path traversal vulnerability in the Roxy-WI web interface, which can be exploited by a remote attacker to gain unauthorized access to protected information. This vulnerability allows an SSH key to be saved into an unintended location, such as the `/tmp` folder, using a payload like `../../../../../tmp/test111 dev`. **Recommendations** For versions prior to 6.3.5.0, update to version 6.3.5.0 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable web interface until the update is applied. Avoid using the vulnerable functionality to save SSH keys to unintended locations until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Roxy-WI versions prior to 6.1.1.0 **Description** Roxy-WI is a Web interface for managing HAProxy, Nginx, and Keepalived servers. The system command can be run remotely via the `subprocess execute` function without processing the inputs received from the user in the `/app/options.py` file. **Recommendations** For versions prior to 6.1.1.0, update to version 6.1.1.0 to resolve the issue. As a temporary workaround, consider disabling the `subprocess execute` function until a patch is available. Restrict access to the `/app/options.py` file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Roxy-WI versions prior to 6.1.1.0 **Description** Roxy-WI is a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. The issue arises from the `subprocess execute` function in the `/app/options.py` file, which does not properly process user input, allowing system commands to be executed remotely without authentication. This enables attackers to run arbitrary code on the system. **Recommendations** For versions prior to 6.1.1.0, it is recommended to upgrade to a newer version to resolve the issue. As a temporary workaround, consider restricting access to the `subprocess execute` function in the `/app/options.py` file until a patch is available. Additionally, avoid using the `subprocess execute` function without proper input validation to minimize the risk of exploitation. At the moment, there is no information about other mitigation measures for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Roxy-wi versions prior to 6.1.1.0 **Description** A vulnerability in Roxy-wi allows a remote, unauthenticated attacker to bypass authentication and access admin functionality by sending a specially crafted HTTP request. This issue affects Roxy-wi, an open source web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. **Recommendations** For versions prior to 6.1.1.0, upgrade to version 6.1.1.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the Roxy-wi interface until an upgrade can be performed.

**Name of the Vulnerable Software and Affected Versions** Roxy-wi versions prior to 6.1.1.0 **Description** A vulnerability in Roxy-wi allows a remote, unauthenticated attacker to achieve code execution by sending a specially crafted HTTP request to the "/app/options.py" file. This issue is related to the incorrect neutralization of special elements in output, which can be exploited by a remote attacker to execute arbitrary code. **Recommendations** For Roxy-wi versions prior to 6.1.1.0, users are advised to upgrade to a version that contains the fix for this issue. As a temporary workaround, consider restricting access to the "/app/options.py" file until a patch is available. There are no known workarounds for this issue other than upgrading.