CVE-2021-27964

Name of the Vulnerable Software and Affected Versions: SonLogger versions prior to 6.4.1

Description: The issue allows for Unauthenticated Arbitrary File Upload. An attacker can exploit this by sending a POST request to "/Config/SaveUploadedHotspotLogoFile" without any authentication or session header. There is no check for the file extension or content of the uploaded file.

Recommendations: For versions prior to 6.4.1, update to version 6.4.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/Config/SaveUploadedHotspotLogoFile" endpoint until a patch is applied. Additionally, implementing checks for file extensions and content can help minimize the risk of exploitation.