An issue was discovered in Znuny and Znuny LTS 6.0.31 through 6.5.7 and Znuny 7.0.1 through 7.0.16 where a logged-in user can upload a file (via a manipulated AJAX Request) to an arbitrary writable location by traversing paths. Arbitrary code can be executed if this location is publicly available through the web server.
A logged-in user can send a manipulated AJAX request to the application in which the target file path contains path traversal sequences (e.g., '../'). The file upload mechanism does not properly validate the path, allowing any file to be saved outside the intended directory. If the selected target directory is publicly accessible through the web server, the uploaded file (e.g., PHP script or other executable) can be executed remotely, leading to full code execution on the server.
An attacker with an active session can trigger remote code execution (RCE) on the server, which consequently enables full system takeover, data theft, configuration modification, and further lateral movement within the network.
Apply patches available from the vendor according to the references (https://www.znuny.org/en/advisories/zsa-2024-01). Until the fix is deployed, it is recommended to restrict application access exclusively to trusted, authenticated users and monitor attempts to upload files with unusual paths.
Znuny LTS versions 6.0.31 – 6.5.7 and Znuny versions 7.0.1 – 7.0.16
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HZnuny
APPZnuny6.0.31 – 6.5.77.0.1 – 7.0.16
Related vulnerabilities
Brak weryfikacji uprawnień w Generic Interface systemu Znuny (eskalacja uprawnień)
Eval Injection w Znuny umożliwia zdalne wykonanie poleceń
Znuny: Ciasteczko sesji bez flagi HttpOnly — ryzyko kradzieży sesji
An issue was discovered in Znuny before 7.1.5. When generating a support bundle, not all passwords are masked.
An issue was discovered in Znuny through 7.1.3. If access to a ticket is not given, the content of S/MIME encr...