CVE-2020-21884

Name of the Vulnerable Software and Affected Versions: Unibox SMB version 2.4 UniBox Enterprise Series version 2.4 UniBox Campus Series version 2.4

Description: The issue is related to a cross-site request forgery (CSRF) vulnerability. This vulnerability can be exploited through specially crafted HTTP requests to certain API endpoints, potentially allowing reconfiguration of the device. The affected endpoints include "/tools/network-trace", "/list users", "/list byod?usertype=raduser", "/dhcp leases", and "/go?rid=202".

Recommendations: For Unibox SMB version 2.4, consider restricting access to the vulnerable API endpoints until a patch is available. For UniBox Enterprise Series version 2.4, avoid using the vulnerable endpoints, such as "/tools/network-trace" and "/list users", to minimize the risk of exploitation. For UniBox Campus Series version 2.4, as a temporary workaround, consider disabling access to the "/list byod?usertype=raduser" and "/dhcp leases" endpoints. At the moment, there is no information about a newer version that contains a fix for this vulnerability.