Bitdefender BOX 2 versions 188.8.131.52 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) Vulnerability
A command injection vulnerability has been discovered in the bootstrap stage of Bitdefender BOX 2, versions 184.108.40.206 and 220.127.116.11.
The information has been provided by Claudio Bozzato
The original article can be found at:https://talosintelligence.com/vulnerability_reports/TALOS-2019-0919
The API method `/api/download_image` unsafely handles the production firmware URL supplied by remote servers, leading to arbitrary execution of system commands. In order to exploit the condition, an unauthenticated attacker should impersonate a infrastructure server to trigger this vulnerability.
Bitdefender BOX 2 versions 18.104.22.168
Bitdefender BOX 2 versions 22.214.171.124