CVE-2022-24551
https://notcve.org/view.php?id=CVE-2022-24551
A flaw was found in StarWind Stack. The endpoint for setting a new password doesn’t check the current username and old password. An attacker could reset any local user password (including system/administrator user) using any available user This affects StarWind SAN and NAS v0.2 build 1633. Se ha encontrado un fallo en StarWind Stack. El punto final para establecer una nueva contraseña no comprueba el nombre de usuario actual y la contraseña antigua. • https://www.starwindsoftware.com/security/sw-20220204-0001 • CWE-287: Improper Authentication •
CVE-2022-24552
https://notcve.org/view.php?id=CVE-2022-24552
A flaw was found in the REST API in StarWind Stack. REST command, which manipulates a virtual disk, doesn’t check input parameters. Some of them go directly to bash as part of a script. An attacker with non-root user access can inject arbitrary data into the command that will be executed with root privileges. This affects StarWind SAN and NAS v0.2 build 1633. • https://www.starwindsoftware.com/security/sw-20220203-0001 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •