Fixes for a new security issue were published last night, you should see dashboard notifications of module updates available, or if you have auto update enabled for security issues, you will see dashboard notifications that the modules have been updated already.
The nature of the vulnerability is the possibility of remote code execution by a UCP user, but only AFTER successful login.
That’s my take. Not rushing to patch out of band.
How RCE can be low risk? Even that it was post authorization do not changes its status from high to low. Specially in systems and can easily be monetized as VoIP…
If you have credentials there are many things you can do to the system. Some of them on purpose. If you have credentials you can actually “monitize” without needing an exploit at all. The point is if credentials have been compromised you likely have bigger concerns than an rce. Remember the difference between doing things and not doing things is authentication.
This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.