Arbitrary OS Command Injection via Timezone Parameter in Loxone Miniserver Go Gen.2

Arbitrary OS Command Injection via Timezone Parameter in Loxone Miniserver Go Gen.2

CVE-2023-36622 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

The websocket configuration endpoint of the Loxone Miniserver Go Gen.2 before 14.1.5.9 allows remote authenticated administrators to inject arbitrary OS commands via the timezone parameter.

Learn more about our Web App Pen Testing.