GHSA-WQHW-FRPX-5MMP Command Injection in tomato

All versions of tomato are vulnerable to Command Injection. The /api/exec endpoint does not validate user input allowing attackers to run arbitrary commands in the system. Recommendation No fix is currently available. Consider using an alternative module until a fix is made available...

API Admin Auth Weakness

Overview Versions of tomato prior to 0.0.6 are affected by a somewhat complex authentication bypass vulnerability in the admin service when only a single access key is configured on the server. The vulnerability allows an attacker to guess the password for the admin service, no matter how complex...