CVE-2010-5330

Name of the Vulnerable Software and Affected Versions Ubiquiti AirOS versions prior to 4.0.1 Ubiquiti AirMax ISP products versions prior to 5.3.5 Ubiquiti AirSync firmware versions prior to 5.4.5

Description On certain Ubiquiti devices, Command Injection exists via a GET request to "stainfo.cgi" (aka Show AP info) because the ifname variable is not sanitized, as demonstrated by shell metacharacters.

Recommendations For versions prior to 4.0.1, update to version 4.0.1 or later. For AirMax ISP products prior to 5.3.5, update to version 5.3.5 or later. For AirSync firmware prior to 5.4.5, update to version 5.4.5 or later. As a temporary workaround, consider restricting access to the "stainfo.cgi" endpoint until a patch is available.