:: Deepquest ::

Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway systems suffer from an issue where due to the hidden and undocumented File Editor (Filesystem Browser) shell script ‘system-editor.sh’ an attacker can leverage this issue to read, modify or delete arbitrary files on the system. Input passed thru the ‘path’ and ‘savefile’, ‘edit’ and ‘delfile’ GET and POST parameters is not properly sanitized before being used to modify files. This can be exploited by an authenticated attacker to read or modify arbitrary files on the affected system. Many versions are affected.