CVE-2017-9833 (v3: 7.5)
24 Jun 2017
/cgi-bin/wapopen in BOA Webserver 0.94.14rc21 allows the injection of "../.." using the FILECAMERA variable (sent by GET) to read files with root privileges.