Ubiquiti Inc.: AirFibre products vulnerable to HTTP Header injection

The uri GET parameter of Login.cgi is directly used on login to generate HTTP headers without sanitisation. An user could be tricked into logging into the device and then redirected to a malicious location or attacked through other HTTP Header injection attacks. Vulnerable code: if isset$uri &&...

Ubiquiti Inc.: Can upload files without authentication on AirFibre 3.2

A POST submission such as below will upload a file to the tmp/upload directory without requiring authentication. I have been unable to redirect the upload to another directory so cannot utilize for RCE however an attacker is able to use this to fill the disk space on the device which could cause ...