CVE-2021-27275

Name of the Vulnerable Software and Affected Versions NETGEAR ProSAFE Network Management System version 1.6.0.26

Description This issue allows remote attackers to disclose sensitive information and delete arbitrary files on affected installations. Although authentication is required to exploit this issue, the existing authentication mechanism can be bypassed. The specific flaw exists within the ConfigFileController class, specifically when parsing the realName parameter, which does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this issue to disclose sensitive information or to create a denial-of-service condition on the system.

Recommendations For NETGEAR ProSAFE Network Management System version 1.6.0.26, consider disabling the ConfigFileController class or restricting access to it until a patch is available. Additionally, restrict the use of the realName parameter in file operations to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.