Nautobot did not properly sandbox Jinja2 template rendering. All users of Nautobot versions earlier than 1.5.7 are impacted by a remote code execution vulnerability. Nautobot is a Network Source of Truth and Network Automation Platform. Ruckus Wireless Admin through 10.4 allows Remote Code Execution via an unauthenticated HTTP GET Request, as demonstrated by a /forms/doLogin?login_username=admin&password=password$(curl substring. The attacker tampers with a trusted, signed executable in transit. This can be used to execute code as a trusted application provider, escalate privileges, or execute arbitrary commands in the context of the user. ![]() An attacker can remotely generate or locally alter file contents and bypass code-signing controls. ![]() The cryptographic code signing process and controls on ConnectWise Control through 2 (formerly known as ScreenConnect) are cryptographically flawed.
0 Comments
Leave a Reply. |