RSS   Vulnerabilities for 'Roxy-wi'   RSS

2022-07-08
 
CVE-2022-31137

CWE-78
 
 
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 6.1.1.0 are subject to a remote code execution vulnerability. System commands can be run remotely via the subprocess_execute function without processing the inputs received from the user in the /app/options.py file. Attackers need not be authenticated to exploit this vulnerability. Users are advised to upgrade. There are no known workarounds for this vulnerability.

 
2022-07-06
 
CVE-2022-31125

CWE-287
 
 
Roxy-wi is an open source web interface for managing Haproxy, Nginx, Apache and Keepalived servers. A vulnerability in Roxy-wi allows a remote, unauthenticated attacker to bypass authentication and access admin functionality by sending a specially crafted HTTP request. This affects Roxywi versions before 6.1.1.0. Users are advised to upgrade. There are no known workarounds for this issue.

 
 
CVE-2022-31126

CWE-74
 
 
Roxy-wi is an open source web interface for managing Haproxy, Nginx, Apache and Keepalived servers. A vulnerability in Roxy-wi allows a remote, unauthenticated attacker to code execution by sending a specially crafted HTTP request to /app/options.py file. This affects Roxy-wi versions before 6.1.1.0. Users are advised to upgrade. There are no known workarounds for this issue.

 
2021-08-07
 
CVE-2021-38167

CWE-89
 
 
Roxy-WI through 5.2.2.0 allows SQL Injection via check_login. An unauthenticated attacker can extract a valid uuid to bypass authentication.

 
 
CVE-2021-38168

CWE-89
 
 
Roxy-WI through 5.2.2.0 allows authenticated SQL injection via select_servers.

 
 
CVE-2021-38169

CWE-77
 
 
Roxy-WI through 5.2.2.0 allows command injection via /app/funct.py and /api/api_funct.py.

 

Copyright 2024, cxsecurity.com

 

Back to Top