CVE-2021-46704: 
JavaScript vulnerability analysis and mitigation

In GenieACS 1.2.x before 1.2.8, the UI interface API is vulnerable to unauthenticated OS command injection via the ping host argument (lib/ui/api.ts and lib/ping.ts). The vulnerability arises from insufficient input validation combined with a missing authorization check (NVD).

The vulnerability exists in the ping functionality where the host argument is not properly validated before being passed to the OS command execution. The issue specifically affects the files lib/ui/api.ts and lib/ping.ts. The vulnerability has been assigned a CVSS v3.1 Base Score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The weakness is classified as CWE-78: Improper Neutralization of Special Elements used in an OS Command (NVD).

A successful exploitation of this vulnerability could allow an unauthenticated attacker to execute arbitrary OS commands on the affected system. Due to the lack of authentication requirements and the high severity rating, this vulnerability could lead to complete system compromise with maximum impact on confidentiality, integrity, and availability (NVD).

The vulnerability has been fixed in GenieACS version 1.2.8. The fix includes proper validation of the host argument passed to the ping function, preventing possible remote code execution. The patch implements input validation using regular expressions to check for valid characters in IPv4, IPv6, and domain names, as well as handling IDN conversion to Punycode (GitHub Patch, GitHub Release).