Unrestricted upload of dangerous file types in C21 Live Encoder and Live Mosaic

Vulnerability

An unrestricted upload of dangerous file types vulnerability exists in Cires21 C21 Live Encoder and Live Mosaic, version 5.3 [1]. The software fails to restrict the file extensions that can be uploaded, enabling an attacker to upload arbitrary files including those that can be executed on the server [1]. This is a classic CWE-434 unrestricted file upload flaw [1].

Exploitation

A remote attacker with network access to the affected application can exploit this vulnerability by sending a crafted HTTP request to the file upload endpoint, specifying any file extension without validation [1]. No authentication or prior access is required; the CVSS vector indicates the attack is over the network, requires low complexity, and no privileges or user interaction [1].

Impact

Successful exploitation allows the attacker to upload malicious files such as web shells or executable scripts onto the server [1]. This leads to arbitrary code execution in the context of the web server, resulting in a full system compromise with high impact on confidentiality, integrity, and availability [1].

Mitigation

The vendor Cires21 resolved these vulnerabilities in the latest software version released in the last week of November 2023 [1]. Affected users should update to the fixed version as soon as possible [1]. No workarounds are mentioned in the available references; applying the vendor patch is the recommended mitigation.