An issue in EpointWebBuilder 5.1.0-sp1, 5.2.1-sp1, 5.4.1 and 5.4.2 allows a remote attacker to execute arbitrary code via the infoid parameter of the URL.
An attacker sends a specially crafted HTTP request containing a malicious payload in the infoid parameter of the URL. The application does not properly validate this value (CWE-94: improper neutralization of directives in dynamically generated code, CWE-233: improper handling of parameters), leading to interpretation of attacker-supplied code on the server side. The attack requires no authentication or user interaction and can be performed remotely over the network.
An attacker can gain full control over the application server — including confidentiality, integrity, and availability of all data — through remote code execution (RCE) with the privileges of the application process.
Security patches available from the vendor should be applied in accordance with the references. Until an update is available, it is recommended to restrict access to the application at the firewall level and monitor network traffic for suspicious requests containing non-standard values of the infoid parameter.
EpointWebBuilder versions 5.1.0-sp1, 5.2.1-sp1, 5.4.1, and 5.4.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HEpoint Epointwebbuilder
APPEpoint5.1.05.2.15.4.15.4.2