CVE-2014-2225

Name of the Vulnerable Software and Affected Versions UniFi Controller versions prior to 3.2.1

Description The issue allows remote attackers to hijack the authentication of administrators for various requests, including creating a new admin user, changing guest settings, blocking or unblocking users, and modifying syslog settings. Specifically, the affected API endpoints include "api/add/admin" for creating a new admin user, "api/add/wlanconf" for unspecified impact, "api/set/setting/guest access" for changing guest password, authentication method, or restricted subnets, "api/cmd/stamgr" for blocking, unblocking, or reconnecting users by MAC address, "api/set/setting/rsyslogd" for changing the syslog server or port, "api/set/setting/smtp" for unspecified impact, "api/cmd/cfgmgr" for changing syslog server, port, or authentication settings, and "api/set/setting/identity" for changing the Unifi Controller name.

Recommendations For versions prior to 3.2.1, update to version 3.2.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected API endpoints until a patch is available. Avoid using the vulnerable API endpoints for sensitive operations until the issue is resolved.