Vulnerability Description: Arbitrary file write Post-Auth
Software Version: VAM: Visual Access Manager - 4.15.0 > 4.29
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-19988
CVSv3: 8.8
Severity: High
Credits: Alessandro Bosco, Luca Di Giuseppe, Mattia Campanelli, Valerio Preti, Stefano Scipioni, Massimiliano Brolli.
A user with valid credentials is able to create and write XML files on the filesystem via the web interface. The PHP page doesn’t check the parameter that identify the file name to be created. Thus, an attacker can manipulate the file name to create any type of file within the filesystem.