Description

The web application is vulnerable to multiple security vulnerabilities, such as unauthenticated file upload and XML eXternal Entities (XXE) injection.

1. Unauthenticated File Upload:
The form /WorkArea/Upload.aspx does not require authentication to upload a file. By issuing a POST request with a webshell embedded in a JPEG image and specifying the ASPX extension it is possible to upload ASPX code to /uploadedimages/. The ASPX code is placed in the comment section of the JPEG so that it survives image resizing.

2. XXE Injection:
The XML parser at /WorkArea/Blogs/xmlrpc.aspx is vulnerable to XML external entity attacks which can be used to scan behind perimeter firewalls or possibly include files from the local file system e.g.

Remediation

Upgrade to version 8.6 and remove the /WorkArea/Blogs/xmlrpc.aspx file.

References

Sense of Security - Security Advisory - SOS-12-009

Related Vulnerabilities

Craft CMS Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Vulnerability (CVE-2020-9757)

TCExam Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2020-5744)

Plone CMS Missing Authentication for Critical Function Vulnerability (CVE-2020-35190)

Drupal Other Vulnerability (CVE-2005-0682)

MediaWiki Release of Invalid Pointer or Reference Vulnerability (CVE-2022-28203)

Severity

High

Classification

CWE-434 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

Known Vulnerabilities XXE Code Execution Unauthenticated File Upload