Wallos <= 2.38.2 has a file upload vulnerability in the restore backup function, which allows authenticated users to restore backups by uploading a ZIP file. The contents of the ZIP file are extracted on the server. This functionality enables an authenticated attacker (being an administrator is not required) to upload malicious files to the server. Once a web shell is installed, the attacker gains the ability to execute arbitrary commands.
The backup restore function accepts a ZIP file uploaded by the user and automatically extracts its contents on the server without proper verification of uploaded files. An attacker can place a malicious file (e.g., PHP web shell) in the ZIP archive, which is saved in an accessible location on the server after extraction. Once the web shell is on the server, the attacker gains the ability to remotely execute arbitrary system commands (RCE). To carry out the attack, it is sufficient to have any user account in the application — administrator privileges are not required.
An attacker can gain full control over the server by executing arbitrary system commands, leading to complete compromise of data and system confidentiality, integrity, and availability.
Apply patches available from the vendor according to the references. Additionally, it is recommended to restrict access to the backup restore functionality and monitor user activity in the application.
Wallosapp Wallos version 2.38.2 and all earlier versions
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HWallosapp Wallos
APPWallosapp≤ 2.38.2
Related vulnerabilities
Wallos – nieuwierzytelniony upload pliku umożliwiający RCE
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, Wallos endpoint...
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the SSRF fix ap...
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the patch intro...
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, there is a serv...