Vulnerability Description: Absolute Path Traversal - CWE-36
Software Version: 12.1.0-20211215
NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-28806
CVSSv3:
Severity:
Credits: Luca Carbone, Fabio Romano, Stefano Scipioni, Massimiliano Brolli
The web server fails to sanitize the input data allowing remote unauthenticated attackers to upload files on the filesystem in an arbitrary path.
Step-by-step instructions and PoC
An unauthenticated user can upload files in an arbitrary path using a specific functionality of the web application. An attacker can change the “uploadDir” parameter in the POST request (not possible using the GUI) to an arbitrary directory. Since the application does not check in which directory the file will be uploaded, an attacker can perform a variety of attacks that can result in unauthorized access to the server.
Below are the evidences with the vulnerability details and the payloads used. In this case, uploadDir was changed from /var/tmp/external/ to /tmp/
Payload used to exploit the vulnerability:
Security Impact
By exploiting this vulnerability on the web portal it was possible to upload files in an arbitrary path on the filesystem.
