| 제목 | OpenWGA OpenWGA Admin Client 7.11.12 (Build 737) Code Injection |
|---|
| 설명 | OpenWGA Admin Client exposes TMLScript APIs that allow file I/O via WGA.File. In the tested build, a user with Admin or Design rights can write attacker-controlled files into a web-served path. Writing a server-interpreted artefact (for example a .jsp) into the OpenWGA webroot and then requesting it over HTTP results in remote code execution under the application server account.
This combines insufficient restriction of TMLScript file writes with a webroot that is writable and executed by the servlet container. |
|---|
| 원천 | ⚠️ https://github.com/mikecole-mg/security_findings/blob/main/openwga/openwga-rce.md |
|---|
| 사용자 | mikecole-mg (UID 89343) |
|---|
| 제출 | 2025. 10. 13. AM 12:35 (8 개월 ago) |
|---|
| 모더레이션 | 2025. 10. 26. AM 06:29 (13 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 329921 [OpenWGA 7.11.12 Build 737 TMLScript API WGA.File 디렉토리 순회] |
|---|
| 포인트들 | 20 |
|---|