Uvdesk 1.1.1 - RCE via Insecure File Upload
|Name||Uvdesk 1.1.1 - RCE via Insecure File Upload|
|Affected versions||Version 1.1.1|
|Kind||Insecure file upload|
|Rule||027. Insecure file upload|
|CVSSv3 Base Score||9.9|
Uvdesk version 1.1.1 allows an authenticated remote attacker to execute commands on the server. This is possible because the application does not properly validate profile pictures uploaded by customers.
This vulnerability occurs because the application does not properly validate profile pictures uploaded by customers.
The application only accepts images (validates content and mimetype), however
it does not correctly validate the image extension. Thanks to this we can inject
PHP code in the image comments (so as not to corrupt it), and then through a
proxy we change the image extension to
Evidence of exploitation
Our security policy
We have reserved the CVE-2023-0265 to refer to this issue from now on.
Version: Uvdesk 1.1.1
Operating System: GNU/Linux
There is currently no patch available for this vulnerability.
The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.
Vendor page https://github.com/uvdesk/community-skeleton
Vendor replied acknowledging the report.