Ph0Jav7

**Name of the Vulnerable Software and Affected Versions** F-logic DataCube3 version 1.0 **Description** The issue is related to command injection due to improper string filtering at the command execution point in the ./admin/transceiver schedule.php file. An unauthenticated remote attacker can exploit this by sending a file name containing command injection, potentially allowing the attacker to execute system commands. **Recommendations** For F-logic DataCube3 version 1.0, consider restricting access to the ./admin/transceiver schedule.php file to minimize the risk of exploitation. As a temporary workaround, avoid using file names that could be used for command injection in this file until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** F-logic DataCube3 version 1.0 **Description** The issue concerns a file upload vulnerability via the `/admin/transceiver schedule.php` API endpoint. This allows for potential malicious file uploads. No information is provided about the estimated number of affected devices or real-world incidents. **Recommendations** For F-logic DataCube3 version 1.0, as a temporary workaround, consider restricting access to the `/admin/transceiver schedule.php` API endpoint until a patch is available. Avoid using this endpoint for file uploads until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.