| Title | nopCommerce up to 4.2.0 FileRoxyFilemanService.cs Arbitrary File Download/Upload |
|---|
| Description | A vulnerability, which was classified as critical, was found in nopCommerce up to 4.20. Affected is the upload and download functionalities of the file Libraries/Nop.Services/Media/RoxyFileman/FileRoxyFilemanService.cs. The manipulation of URL parameters "d" [directory] and "f" [file] leads to a Path Traversal vulnerability, which allow to read and write arbitrary files on the underlying server filesystem. The vulnerability can be further exploited to create a webshell on the server, achieving remote command execution on the server. CWE is classifying the issue as CWE-23. This is going to have an impact on confidentiality, integrity, and availability.
The weakness was discovered by Alessandro Magnosi (d3adc0de) and Jun Woo Lee on 19/06/2019. This vulnerability still not have a CVE assigned. The exploitability is told to be not trivial. It is possible to launch the attack remotely. A single authentication is necessary for exploitation. Technical details are known, and a private exploit has been developed by Alessandro Magnosi (d3adc0de).
There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product. But the issue has been solved from version 4.3.0. |
|---|
| Source | ⚠️ https://github.com/klezVirus/cves/tree/master/NopCommerce/Privilege%20Escalation%20via%20Plugin%20Upload |
|---|
| User | Anonymous User |
|---|
| Submission | 12/06/2019 17:00 (6 years ago) |
|---|
| Moderation | 12/10/2019 08:56 (4 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 146825 [Nop Solution Ltd nopCommerce 4.2.0 on ASP.NET File Upload PluginController.cs Custom Plugin unrestricted upload] |
|---|
| Points | 20 |
|---|