CVE-2020-21992

Name of the Vulnerable Software and Affected Versions: Inim Electronics SmartLiving SmartLAN/G/SI versions prior to 7.x

Description: The issue exists due to the par POST parameter not being sanitized when called with the testemail module through the web.cgi binary. This allows for OS command injection with root privileges through the mailx service. An attacker can remotely execute system commands as the root user using default credentials and bypass access controls in place.

Recommendations: For Inim Electronics SmartLiving SmartLAN/G/SI versions prior to 7.x, consider disabling the testemail module until a patch is available to prevent exploitation of the command injection vulnerability. Restrict access to the web.cgi binary to minimize the risk of exploitation. Avoid using the par parameter in the affected API endpoint until the issue is resolved.