CVE-2023-46253 in Squidex
Summary
by MITRE • 11/07/2023
Squidex is an open source headless CMS and content management hub. Affected versions are subject to an arbitrary file write vulnerability in the backup restore feature which allows an authenticated attacker to gain remote code execution (RCE). Squidex allows users with the `squidex.admin.restore` permission to create and restore backups. Part of these backups are the assets uploaded to an App. For each asset, the backup zip archive contains a `.asset` file with the actual content of the asset as well as a related `AssetCreatedEventV2` event, which is stored in a JSON file. Amongst other things, the JSON file contains the event type (`AssetCreatedEventV2`), the ID of the asset (`46c05041-9588-4179-b5eb-ddfcd9463e1e`), its filename (`test.txt`), and its file version (`0`). When a backup with this event is restored, the `BackupAssets.ReadAssetAsync` method is responsible for re-creating the asset. For this purpose, it determines the name of the `.asset` file in the zip archive, reads its content, and stores the content in the filestore. When the asset is stored in the filestore via the UploadAsync method, the assetId and fileVersion are passed as arguments. These are further passed to the method GetFileName, which determines the filename where the asset should be stored. The assetId is inserted into the filename without any sanitization and an attacker with squidex.admin.restore privileges to run arbitrary operating system commands on the underlying server (RCE).
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 12/03/2023
The vulnerability CVE-2023-46253 represents a critical arbitrary file write flaw in Squidex, an open source headless content management system. This vulnerability exists within the backup restore functionality and specifically targets the asset handling process during backup restoration. The flaw allows authenticated attackers with the squidex.admin.restore permission to execute remote code execution on the underlying server, making it particularly dangerous for production environments. The vulnerability stems from inadequate input sanitization during the asset restoration process, where user-provided asset identifiers are directly incorporated into file paths without proper validation or encoding.
The technical exploitation occurs through the BackupAssets.ReadAssetAsync method which processes asset restoration from backup archives. During this process, the system reads asset content from zip archives and attempts to store it in the filestore using the UploadAsync method. The critical flaw lies in the GetFileName method which constructs file paths using the assetId parameter without any sanitization measures. When an attacker crafts a malicious backup archive containing specially formatted AssetCreatedEventV2 events with manipulated assetId values, the unsanitized identifier gets embedded directly into the filesystem path. This creates a predictable path traversal scenario where the attacker can control the final destination of the restored file, enabling arbitrary file write operations that can be leveraged for privilege escalation and system compromise.
The operational impact of this vulnerability extends beyond simple file manipulation as it provides attackers with complete control over the underlying server environment. The ability to execute arbitrary code remotely means that attackers can install malware, establish persistent backdoors, access sensitive data, or use the compromised system as a launch point for further attacks within the network. The vulnerability affects all versions of Squidex that implement the backup restore feature, making it a widespread concern for organizations using this platform. Given that the attack requires only the specific administrative permission, it represents a significant risk even in environments with proper access controls, as the privilege escalation path is relatively straightforward for attackers who can obtain the necessary credentials through social engineering, credential theft, or other means.
Organizations should immediately implement mitigations including restricting access to the squidex.admin.restore permission to only essential administrative users, implementing network segmentation to limit exposure, and monitoring for unusual backup activity or file creation patterns. The vulnerability aligns with CWE-22 (Path Traversal) and CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) classifications, and maps to ATT&CK techniques including T1059 (Command and Scripting Interpreter) and T1078 (Valid Accounts) for privilege escalation and execution. Additionally, this vulnerability demonstrates the importance of proper input validation in file system operations and highlights the need for principle of least privilege implementations in CMS platforms. Regular security audits and code reviews focusing on file handling operations, particularly in backup and restore functionalities, should be conducted to identify similar vulnerabilities in other systems. The incident underscores the critical nature of validating and sanitizing all user-supplied data before using it in system operations, especially in contexts involving file system interactions and privilege escalation scenarios.