PT-2022-12665 · Cybele · Thinfinity Virtualui

Daniel Morales

Published

2022-02-09

Updated

2022-03-01

CVE-2021-46354

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Thinfinity VirtualUI versions 2.1.28.0 through 2.5.26.2

Description The issue affects the Addr parameter in the cmd site, allowing the vulnerable server to disclose information or increase the attack surface by sending requests to other systems. This can potentially allow the filtration of the real IP of the web server.

Recommendations For Thinfinity VirtualUI versions 2.1.28.0 through 2.5.26.2, update to version 3.0 to resolve the issue. As a temporary workaround, consider restricting access to the Addr parameter in the cmd site until a patch is available.

Exploit

Fix

Exposure of Resource to Wrong Sphere

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-668

Related Identifiers

CVE-2021-46354

Affected Products

Thinfinity Virtualui

PT-2022-12665 · Cybele · Thinfinity Virtualui

CVE-2021-46354

Weakness Enumeration

Related Identifiers

Affected Products

References · 8