Cellopoint CelloOS - Unauthenticated Arbitrary File Disclosure

Vulnerability

Cellopoint CelloOS v4.1.10 Build 20190922 does not properly filter special characters in URL parameters, enabling a path traversal attack. The vulnerability resides in the web interface of the email management platform, where user-supplied input is not sanitized for directory traversal sequences such as ../ [1].

Exploitation

An unauthenticated attacker with network access can exploit this by sending a crafted HTTP request containing path traversal sequences in the URL. No authentication or user interaction is required. The attacker can navigate the filesystem by manipulating the ../ patterns to access files outside the intended directory [1].

Impact

Successful exploitation allows the attacker to read arbitrary files on the system, leading to unauthorized disclosure of sensitive information. The CVSS v3.1 score is 7.5 (High) with a confidentiality impact of High and no impact on integrity or availability [1].

Mitigation

The vendor released a fix in CelloOS version 4.1.12 Build 20200701, which was made available via online update on 2020-06-17. Users should update to this version or later to remediate the vulnerability [1].