o Hunesion has released security updates to address multiple vulnerabilities in i-oneNet(Inter-network data transmission) solution.
Unrestricted file upload
Malicious file upload
Malicious file execution
o (CVE-2019-12803) The specific upload web module doesn't verify the file extension and type, and an attacker can upload a webshell. After the webshell upload, attacker can use the webshell to perform remote code exection such as running a system command.
o (CVE-2019-12804) Due to the lack of update file integrity checking in the upgrade process, an attacker can craft malicious file and use it as a update.
□ Affected Product
3.0.7 ~ 3.0.53, 4.0.4 ~ 4.0.16
o Update to patched release version(V3.0 => 3.0.54, V4.0 => 4.0.17)