CVE-2022-24239

Vulnerability

ACEweb Online Portal version 3.5.065 contains an unrestricted file upload vulnerability in the attachments.awp endpoint. This flaw allows an attacker to upload arbitrary file types without proper validation, as described in the CVE and implied by the lack of content restrictions in the referenced vendor page [1].

Exploitation

An attacker with network access to the portal can send a crafted multipart request to the attachments.awp endpoint. No authentication is explicitly required by the advisory. The attacker includes a malicious file (e.g., a web shell) in the request. The server accepts and stores the file, as there is no enforcement of file type or content checks.

Impact

Successful upload of a malicious file, such as a web shell or executable script, can lead to arbitrary code execution on the server. This compromises the confidentiality, integrity, and availability of the application and underlying system, potentially granting the attacker full control over the ACEweb Online Portal instance.

Mitigation

As of the publication date, no official patch has been released by ACEweb [1]. The vendor has not disclosed a fixed version. Users should restrict access to the attachments.awp endpoint via web application firewall rules or network segmentation until a patch becomes available.