CVE-2023-33617

Name of the Vulnerable Software and Affected Versions Parks Fiberlink 210 firmware version V2.1.14 X000

Description An OS Command Injection issue exists due to the lack of neutralization of special elements used in the operating system command. This can be exploited via the "/boaform/admin/formPing" target addr parameter, allowing an attacker to execute arbitrary commands on the server. The target addr parameter is vulnerable to this issue.

Recommendations For Parks Fiberlink 210 firmware version V2.1.14 X000, as a temporary workaround, consider disabling the /boaform/admin/formPing endpoint until a patch is available. Restrict access to this endpoint to minimize the risk of exploitation. Avoid using the target addr parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.