Jakub Korepta

**Name of the Vulnerable Software and Affected Versions** Aviatrix Controller versions prior to 7.1.4191 and 7.2.x prior to 7.2.4996. **Description** A critical command injection vulnerability in Aviatrix Controller allows unauthenticated attackers to execute arbitrary code due to the improper neutralization of special elements used in an OS command. This can be exploited by sending shell metacharacters to `/v1/api` in `cloud type` for `list flightpath destination instances` or `src cloud type` for `flightpath connection test`. Approximately 3% of enterprise cloud environments are affected, with attackers exploiting this vulnerability to deploy backdoors and crypto miners. **Recommendations** To resolve the issue for each affected version, update to version 7.1.4191 or 7.2.4996 as soon as possible to prevent exploitation. As a temporary workaround, consider restricting access to the vulnerable API endpoints until a patch is applied. Additionally, monitor your environment for any signs of exploitation and apply mitigations to protect your organization from cyberattacks.

Name of the Vulnerable Software and Affected Versions: QNAP Systems Inc. QTS versions prior to 4.5.2.1566 Build 20210202 QNAP Systems Inc. QuTS hero versions prior to h4.5.2.1638 build 20210414 Description: A reported issue allows attackers to inject malicious code. This is achieved through an XSS vulnerability. Recommendations: For QTS versions prior to 4.5.2.1566 Build 20210202, update to version 4.5.2.1566 Build 20210202 or later. For QuTS hero versions prior to h4.5.2.1638 build 20210414, update to version h4.5.2.1638 build 20210414 or later.