CVE-2021-31769

Name of the Vulnerable Software and Affected Versions MyQ Server in MyQ X Smart versions prior to 8.2

Description The issue allows remote code execution by unprivileged users because administrative session data can be read in the %PROGRAMFILES%MyQPHPSessions directory. The "Select server file" feature, intended for administrators, does not require authorization. An attacker can inject arbitrary OS commands, such as creating new .php files, via the Task Scheduler component.

Recommendations For versions prior to 8.2, update to version 8.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the Task Scheduler component and the "Select server file" feature to minimize the risk of exploitation. Additionally, ensure that the %PROGRAMFILES%MyQPHPSessions directory is properly secured to prevent unauthorized access to administrative session data.