CVE-2021-46704

Name of the Vulnerable Software and Affected Versions GenieACS versions 1.2.x through 1.2.7

Description The issue arises from insufficient input validation combined with a missing authorization check in the UI interface API, allowing unauthenticated OS command injection via the ping host argument. This is due to vulnerabilities in the lib/ui/api.ts and lib/ping.ts files.

Recommendations For GenieACS versions 1.2.x through 1.2.7, update to version 1.2.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the lib/ui/api.ts and lib/ping.ts files to minimize the risk of exploitation. Avoid using the ping host argument in the UI interface API until the issue is resolved.