===================
"Remote Code Execution (RCE) via Unrestricted File Upload" (CWE-434) vulnerability
in "Intrexx Professional" product
Vendor
===================
United Planet GmbH
Product
===================
"Intrexx is an integrated cross-platform development environment for the creation
and operation of web-based applications, enterprise portals and intranet portals."
- source: https://en.wikipedia.org/wiki/
Affected versions
===================
This vulnerability affects versions of Intrexx Professional 6.0 (prior to Online Update 10)
and 5.2 (prior to Online Update 0905)
Patch availability
===================
The vendor has released the following fixes:
"Online Update 10" or later for Intrexx Professional 6.0 users
"Online Update 0905" or later for Intrexx Professional 5.2 users
Reported by
===================
This issue was reported to the vendor by Christian Schneider (@cschneider4711)
following a responsible disclosure process.
Severity
===================
Critical
Exploitability
===================
Exploitable by unauthenticated attackers
Description
===================
Using an unrestricted file upload it is possible to execute arbitrary code on the remote server
by uploading and remotely executing a malicious file that contains code by the attacker.
Proof of concept
===================
Due to the responsible disclosure process chosen and to not harm unpatched systems,
no concrete exploit code will be presented in this advisory.
References
===================
https://help.unitedplanet.com/
https://help.unitedplanet.com/
http://www.christian-
Komentarų nėra:
Rašyti komentarą