CVE-2021-26752

Name of the Vulnerable Software and Affected Versions NeDi version 1.9C

Description The issue allows an authenticated user to execute operating system commands in the Nodes Traffic function on the endpoint "/Nodes-Traffic.php" via the md or ag HTTP GET parameter. This enables an attacker to obtain access to the operating system where NeDi is installed and to all application data.

Recommendations For NeDi version 1.9C, consider disabling access to the "/Nodes-Traffic.php" endpoint until a patch is available. As a temporary workaround, restrict the use of the md and ag HTTP GET parameters in the Nodes Traffic function to minimize the risk of exploitation.