Hello all,

I would like to inform you about the Remote Command & Code Injection
vulnerabilities found in Wifi-soft's Unibox Controllers.

Name: Remote Code Injection in Wifi-soft's Unibox Controllers
Affected Software: Unibox Controller
Affected Versions: 0.x - 2.x
Homepage: https://wifi-soft.com/unibox-controller/
Vulnerability: Remote Code Injection
Severity: Critical
Status: Not Fixed
CVSS Score (3.0): CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8)
CVE-ID Reference: CVE-2019-3495


Name: Remote Command Injection in Wifi-soft's Unibox Controllers
Affected Software: Unibox Controller
Affected Versions: 0.x - 2.x
Homepage: https://wifi-soft.com/unibox-controller/
Vulnerability: Remote Command Injection
Severity: Critical
Status: Not Fixed
CVSS Score (3.0): CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8)
CVE-ID Reference: CVE-2019-3497

Name: Remote Command Injection in Wifi-soft's Unibox Controllers
Affected Software: Unibox Controller
Affected Versions: 3.x
Homepage: https://wifi-soft.com/unibox-controller/
Vulnerability: Remote Command Injection
Severity: Critical
Status: Not Fixed
CVSS Score (3.0): CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8)
CVE-ID Reference: CVE-2019-3496

I have posted all the technical details, POCs and root-cause analysis here:
https://sahildhar.github.io/blogpost/Multiple-RCE-Vulnerabilties-in-Unibox-Controller-0.x-3.x/


Best Regards,

*Sahil Dhar                                  *
Information Security Consultant
+91 9821544985

<http://goog_555023787>
[image:
https://www.offensive-security.com/information-security-certifications/osce-offensive-security-certified-expert/]
<https://www.offensive-security.com/information-security-certifications/osce-offensive-security-certified-expert/>