CVE-2023-3260

Name of the Vulnerable Software and Affected Versions Dataprobe iBoot PDU versions 1.43.03312023 or earlier

Description The issue concerns command injection via the user-name URL parameter. An authenticated malicious agent can exploit this to execute arbitrary commands on the underlying Linux operating system. This allows for the execution of arbitrary code with system-level access.

Recommendations For Dataprobe iBoot PDU versions 1.43.03312023 or earlier, consider disabling the use of the user-name URL parameter until a patch is available to prevent command injection attacks. Restrict access to the affected URL endpoint to minimize the risk of exploitation. Avoid using the user-name parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.