Mono7S

Name of the Vulnerable Software and Affected Versions: H3C Magic NX15 versions up to V100R014 H3C Magic NX30 Pro versions up to V100R014 H3C Magic NX400 versions up to V100R014 H3C Magic R3010 versions up to V100R014 Description: A critical vulnerability has been found in H3C Magic NX series devices, affecting the function `FCGI WizardProtoProcess` of the file `/api/wizard/setsyncpppoecfg` of the component HTTP POST Request Handler. The manipulation leads to command injection. Access to the local network is required for this attack. The exploit has been disclosed to the public and may be used. Recommendations: To resolve the issue, upgrade the affected component to a version later than V100R014 for each of the following devices: H3C Magic NX15 H3C Magic NX30 Pro H3C Magic NX400 H3C Magic R3010 As a temporary workaround, consider restricting access to the `/api/wizard/setsyncpppoecfg` API endpoint and disabling the `FCGI WizardProtoProcess` function until a patch is available.

Name of the Vulnerable Software and Affected Versions: H3C Magic NX15 versions up to V100R014 H3C Magic NX30 Pro versions up to V100R014 H3C Magic NX400 versions up to V100R014 H3C Magic R3010 versions up to V100R014 H3C Magic BE18000 versions up to V100R014 Description: A critical issue affects the function `FCGI CheckStringIfContainsSemicolon` of the file "/api/wizard/getCapabilityWeb" in the component HTTP POST Request Handler, leading to command injection. Access to the local network is required for this attack to succeed. The issue has been publicly disclosed. Recommendations: For H3C Magic NX15 versions up to V100R014, upgrade the affected component to a newer version. For H3C Magic NX30 Pro versions up to V100R014, upgrade the affected component to a newer version. For H3C Magic NX400 versions up to V100R014, upgrade the affected component to a newer version. For H3C Magic R3010 versions up to V100R014, upgrade the affected component to a newer version. For H3C Magic BE18000 versions up to V100R014, upgrade the affected component to a newer version.

Name of the Vulnerable Software and Affected Versions: H3C Magic NX15 versions up to V100R014 H3C Magic NX30 Pro versions up to V100R014 H3C Magic NX400 versions up to V100R014 H3C Magic R3010 versions up to V100R014 H3C Magic BE18000 versions up to V100R014 Description: A critical issue has been found in H3C network devices, affecting the function `FCGI CheckStringIfContainsSemicolon` of the `/api/wizard/setLanguage` component in the HTTP POST Request Handler. This leads to command injection. The attack must be launched from within the local network. Recommendations: For H3C Magic NX15 versions up to V100R014, upgrade the affected component. For H3C Magic NX30 Pro versions up to V100R014, upgrade the affected component. For H3C Magic NX400 versions up to V100R014, upgrade the affected component. For H3C Magic R3010 versions up to V100R014, upgrade the affected component. For H3C Magic BE18000 versions up to V100R014, upgrade the affected component. As a temporary workaround, consider disabling the `FCGI CheckStringIfContainsSemicolon` function until a patch is available. Restrict access to the `/api/wizard/setLanguage` API endpoint to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: H3C Magic NX15 versions up to V100R014 H3C Magic NX30 Pro versions up to V100R014 H3C Magic NX400 versions up to V100R014 H3C Magic R3010 versions up to V100R014 H3C Magic BE18000 versions up to V100R014 Description: A critical issue has been found, affecting the function `FCGI CheckStringIfContainsSemicolon` of the file "/api/wizard/getLanguage" in the component HTTP POST Request Handler. This leads to command injection. The attack can only be done within the local network. Recommendations: For H3C Magic NX15 versions up to V100R014, upgrade the affected component. For H3C Magic NX30 Pro versions up to V100R014, upgrade the affected component. For H3C Magic NX400 versions up to V100R014, upgrade the affected component. For H3C Magic R3010 versions up to V100R014, upgrade the affected component. For H3C Magic BE18000 versions up to V100R014, upgrade the affected component. As a temporary workaround, consider disabling the `FCGI CheckStringIfContainsSemicolon` function until a patch is available. Restrict access to the "/api/wizard/getLanguage" endpoint to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: H3C Magic NX15 versions up to V100R014 H3C Magic NX400 versions up to V100R014 H3C Magic R3010 versions up to V100R014 Description: A critical issue was found in the affected devices, which affects the `FCGI WizardProtoProcess` function of the `/api/wizard/getsyncpppoecfg` API endpoint in the HTTP POST Request Handler component. This leads to command injection. The attack must be initiated within the local network. Recommendations: For H3C Magic NX15 versions up to V100R014, upgrade the affected component. For H3C Magic NX400 versions up to V100R014, upgrade the affected component. For H3C Magic R3010 versions up to V100R014, upgrade the affected component.

Name of the Vulnerable Software and Affected Versions: H3C Magic NX15 versions up to V100R014 H3C Magic NX30 Pro versions up to V100R014 H3C Magic NX400 versions up to V100R014 H3C Magic R3010 versions up to V100R014 Description: A critical vulnerability was found in the H3C Magic NX series, affecting the function `FCGI WizardProtoProcess` of the `/api/wizard/getCapability` API endpoint in the HTTP POST Request Handler component. This vulnerability leads to command injection. The attack can only be initiated within the local network. Recommendations: For H3C Magic NX15 versions up to V100R014, upgrade the affected component. For H3C Magic NX30 Pro versions up to V100R014, upgrade the affected component. For H3C Magic NX400 versions up to V100R014, upgrade the affected component. For H3C Magic R3010 versions up to V100R014, upgrade the affected component. As a temporary workaround, consider disabling the `FCGI WizardProtoProcess` function until a patch is available.

Name of the Vulnerable Software and Affected Versions: H3C Magic NX15, Magic NX30 Pro, Magic NX400, and Magic R3010 versions up to V100R014 Description: A critical issue has been found in the affected devices, specifically in the function `FCGI WizardProtoProcess` of the `/api/wizard/getSpecs` endpoint of the HTTP POST Request Handler component. This issue leads to command injection. The attack must be performed within the local network. Recommendations: For H3C Magic NX15, Magic NX30 Pro, Magic NX400, and Magic R3010 versions up to V100R014, it is recommended to upgrade the affected component to a version that is not affected by this issue. As a temporary workaround, consider disabling the `FCGI WizardProtoProcess` function until a patch is available. Restrict access to the `/api/wizard/getSpecs` endpoint to minimize the risk of exploitation.