Kutayakbas

**Name of the Vulnerable Software and Affected Versions** Roxy-WI (affected versions not specified) **Description** The issue is related to an OS Command Injection vulnerability in the Roxy-WI web interface for managing servers. This vulnerability allows any authenticated user to execute arbitrary code on the web application server via the port scanning functionality. The user-supplied input is used without validation when constructing and executing an OS command. Specifically, the `ip` variable, which can be controlled by the attacker, is used when constructing the `cmd` and `cmd1` strings without any extra validation. The `server mod.subprocess execute` function is called on both `cmd1` and `cmd2`, which results in OS Command Injection due to the use of `subprocess.Popen()` with `shell=True`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. Users are advised to contact Roxy-WI to coordinate a fix. As a temporary workaround, consider restricting access to the port scanning functionality to minimize the risk of exploitation. Avoid using the `ip` variable in the affected API endpoint until the issue is resolved.