Summary
An issue was discovered in Extreme Networks IQ Engine (HiveOS) before 10.7r5. From a device that has previously logged into a (possibly vestigial) web UI, the web UI may allow exploitation of the AhBaseAction class, which allows arbitrary execution of files that have an Access.class.php5 trailing substring.
Products Potentially Affected
|
OS/Product
|
Exposure
|
|
IQ Engine (HiveOS)
|
Yes
|
Repair Recommendations
IQ Engine (HiveOS):
- Fixed in 10.8r1 or later (AP5020 & AP4020).
- Fixed in 10.8r2 or later (all other platforms).
Please see the full security advisory here for more details and future updates.
