CVE-2022-40050

Vulnerability

ZFile version 4.1.1 contains an arbitrary file upload vulnerability in the /file/upload/1 endpoint. The component fails to properly validate or restrict the file types or paths that can be uploaded, enabling an attacker to upload arbitrary files to the server. This issue affects ZFile v4.1.1 as disclosed in the advisory [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the /file/upload/1 endpoint without requiring authentication or special privileges. The attacker only needs network access to the target ZFile instance. By manipulating the file upload request, they can upload executable files such as JSP or PHP shells to the web server's document root or other accessible directories.

Impact

Successful exploitation allows an attacker to achieve arbitrary file upload, which can lead to remote code execution with the privileges of the web server. This can result in full compromise of the confidentiality, integrity, and availability of the affected system, including data theft, defacement, or further lateral movement within the network.

Mitigation

As of the publication date (2022-09-26), no fixed version has been released by the vendor. The advisory [1] does not provide a patch or workaround. Users should monitor the official ZFile repository for updates and consider restricting access to the upload endpoint or implementing additional file validation until a patch is available.