This API is used to remove license product codes. The attacker can send specially-crafted requests to inject their own commands, bypassing the intended operations. There are two other command injection vulnerabilities in the web_server ajax endpoints. One is `/ajax/active/` and another is `/ajax/update/`. The first one is used to activate the license codes and the second one is used to get the current status of the active license codes. These endpoints are vulnerable to command injection. An attacker can send specially-crafted requests to inject their own commands, bypassing the intended operations. The `/ajax/update/` API is used to update the product codes of the active licenses. This API is also vulnerable to command injection. An attacker can send specially-crafted requests to inject their own commands, bypassing the intended operations. The `/ajax/remove/` API is used to remove license product codes. This API is also vulnerable to command injection. An attacker can send specially-crafted requests to inject their own commands, bypassing the intended operations. The web_server ajax endpoints are vulnerable to command injection. An attacker can send specially-crafted requests to inject their own commands, bypassing the intended operations. The web_server ajX endpoints are vulnerable to command injection. An attacker can send specially-crafted requests to inject their own commands, bypassing the intended operations.
Authentication
The vulnerability exists within all supported web_server, as well as the *authentication* method. Authentication is vulnerable in two different ways: The `/ajax/active/` endpoint is vulnerable to authentication by username and password and the `/ajax/update/` endpoint is vulnerable to authentication by username and password. There are no other methods of authentication currently implemented in the web_server.
Reference:
I have not identified any vulnerabilities in this API.
There are two other command injection vulnerabilities in the web_server ajax endpoints. One is `/ajax/active/` and another is `/ajax/update/`. The first one is used to activate the license codes and the second one is used to get the current status of the active license codes. These endpoints are vulnerable to command injection. An attacker can send specially-crafted requests to inject their own commands, bypassing the intended operations. The `/ajax/update/` API is used to update the product codes of the active licenses. This API is also vulnerable to command injection. An attacker can send specially-crafted requests to inject their own commands, bypassing the intended operations. The `/ajax/remove/` API is used to remove license product codes. This API is also vulnerable to command injection. An attacker can send specially-crafted requests to inject their own commands, bypassing the intended operations. The web_server ajax endpoints are vulnerable to command injection. An attacker can send specially-crafted requests to inject their own commands, bypassing the intended operations. The web_server ajX endpoints are vulnerable to command injection. An attacker can send specially-crafted requests to inject their own commands, bypassing the intended operations.
Timeline
Published on: 06/30/2022 19:15:00 UTC
Last modified on: 07/12/2022 20:04:00 UTC