CVE-2024-43804

Name of the Vulnerable Software and Affected Versions Roxy-WI (affected versions not specified)

Description The issue is related to an OS Command Injection vulnerability in the Roxy-WI web interface for managing servers. This vulnerability allows any authenticated user to execute arbitrary code on the web application server via the port scanning functionality. The user-supplied input is used without validation when constructing and executing an OS command. Specifically, the ip variable, which can be controlled by the attacker, is used when constructing the cmd and cmd1 strings without any extra validation. The server mod.subprocess execute function is called on both cmd1 and cmd2, which results in OS Command Injection due to the use of subprocess.Popen() with shell=True.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. Users are advised to contact Roxy-WI to coordinate a fix. As a temporary workaround, consider restricting access to the port scanning functionality to minimize the risk of exploitation. Avoid using the ip variable in the affected API endpoint until the issue is resolved.