The Lantronix xPrintServer and its accompanying cloud storage API contains several vulnerabilities.
CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') - CVE-2014-9002
An unauthenticated attacker can include a shell command inside the 'c' parameter of an AJAX request to the device, which is then executed in context of the device root. According to Lantronix, this issue was addressed in version 3.3.0.
An unauthenticated remote attacker may be able to learn private information about the device's internal network, access or modify the device's configuration or files, or gain root access to the device.
Apply an update
Thanks to the reporter who wishes to remain anonymous.
This document was written by Garret Wassermann.