CVE-2020-26574

Name of the Vulnerable Software and Affected Versions Leostream Connection Broker versions 8.2.x

Description The issue allows an unauthenticated attacker to inject arbitrary JavaScript code via the User-Agent HTTP header in the webquery.pl file. This code is rendered by administrators the next time they log in, and it can be used to force the admin to upload a malicious Perl script. The script will be executed as root via the libMisc::browser client function. This issue only affects products that are no longer supported by the maintainer.

Recommendations For Leostream Connection Broker version 8.2.x, consider disabling the webquery.pl file or restricting access to it until a patch is available. As a temporary workaround, restrict the use of the User-Agent HTTP header to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.