CVE-2024-22567

Vulnerability

Description MCMS 5.3.5 suffers from an arbitrary file upload vulnerability in the /ms/file/upload.do endpoint, as identified in the ManageFileAction.java controller [1]. The lack of strict filtering for file extensions allows attackers to bypass intended restrictions and upload files with dangerous extensions such as .jsp or .php [1].

Exploitation

To exploit this vulnerability, an attacker must first authenticate to the MCMS backend. Default credentials msopen/msopen are provided, which can be used to log in [1]. Once authenticated, the attacker can send a crafted POST request with a multipart form containing a malicious file to the upload endpoint. The code does not properly validate the file type, enabling the upload of arbitrary files to arbitrary directories [1].

Impact

Successful exploitation allows an attacker to upload a web shell or other malicious files, leading to remote code execution on the server. This could result in full compromise of the MCMS instance, data theft, or further lateral movement within the network [3].

Mitigation

As of the publication date, no official patch has been released. Users are advised to restrict file upload permissions, implement strict file extension whitelists, and change default credentials immediately. Additionally, disabling the upload endpoint if not required can reduce risk [1][3].