Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0.
The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) and results from insufficient validation of uploaded file types in Samsung MagicINFO 9 Server. An attacker can upload a file containing malicious code (such as a webshell or other executable payload) without requiring authentication or user interaction. After the file is uploaded, the server may process or execute it, resulting in arbitrary code execution in the context of the application.
Successful exploitation of this vulnerability allows an attacker to gain complete control over the server, including reading and modifying data (confidentiality, integrity) and potentially disrupting service availability. The vulnerability may lead to deeper compromise of network infrastructure.
Samsung MagicINFO 9 Server should be immediately updated to version 21.1080.0 or newer. Detailed patch information is available at https://security.samsungtv.com/securityUpdates. Until the update is implemented, it is recommended to restrict network access to the server interface exclusively to trusted hosts and monitor suspicious activity related to file uploads.
Samsung MagicINFO 9 Server in versions prior to 21.1080.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HSamsung Magicinfo 9 Server
APPSamsung< 21.1080.0
Related vulnerabilities
Path Traversal w Samsung MagicINFO 9 Server — zapis plików jako SYSTEM
Samsung MagicINFO 9 Server — Stored XSS przez upload plików HTML
Zakodowane na stałe dane logowania do bazy danych w Samsung MagicINFO 9 Server
Path Traversal w Samsung MagicINFO 9 Server umożliwia wgranie web shell
Samsung MagicINFO 9 Server — nieograniczony upload pliku umożliwia Code Injection