Uvdesk 1.1.1 - RCE via Insecure File Upload
9.9
Critical
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
Uvdesk 1.1.1 - RCE via Insecure File Upload
Code name
State
Public
Release date
Apr 4, 2023
Affected product
Uvdesk
Affected version(s)
Version 1.1.1
Vulnerability name
Insecure file upload
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVSS v3.1 base score
9.9
Exploit available
Yes
CVE ID(s)
Description
Uvdesk version 1.1.1 allows an authenticated remote attacker to execute commands on the server. This is possible because the application does not properly validate profile pictures uploaded by customers.
Vulnerability
This vulnerability occurs because the application does not properly validate profile pictures uploaded by customers.
Exploitation
The application only accepts images (validates content and mimetype), however it does not correctly validate the image extension. Thanks to this we can inject PHP code in the image comments (so as not to corrupt it), and then through a proxy we change the image extension to .php.
Our security policy
We have reserved the CVE-2023-0265 to refer to this issue from now on. Disclosure policy
System Information
Version: Uvdesk 1.1.1
Operating System: GNU/Linux
Mitigation
There is currently no patch available for this vulnerability.
References
Vendor page https://github.com/uvdesk/community-skeleton
Timeline
Vulnerability discovered
Jan 14, 2023
Vendor contacted
Jan 14, 2023
Vendor replied
Jan 14, 2023
Public disclosure
Apr 4, 2023
