Enelx ≫ Waybox Pro Firmware

Waybox Enel X web management application could be used to execute arbitrary OS commands and provide administrator’s privileges over the Waybox system.

Waybox Enel TCF Agent service could be used to get administrator’s privileges over the Waybox system.

A heap buffer overflow could be triggered by sending a specific packet to TCP port 7700.

The Waybox Enel X web management application contains a PHP-type juggling vulnerability that may allow a brute force process and under certain conditions bypass authentication.

Under certain conditions, through a request directed to the Waybox Enel X web management application, information like Waybox OS version or service configuration details could be obtained.

Waybox Enel X web management API authentication could be bypassed and provide administrator’s privileges over the Waybox system.

Waybox Enel X web management application could execute arbitrary requests on the internal database via /admin/versions.php.

Waybox Enel X web management application could execute arbitrary requests on the internal database via /admin/dbstore.php.

In certain conditions a request directed to the Waybox Enel X Web management application could cause a denial-of-service (e.g. reboot).