CRITICAL🇵🇱 Wersja polska

CVE-2025-69770

CVSS 10.0v3.1pub. 2026-02-13upd. 2026-04-15

A zip slip vulnerability in the /DesignTools/SkinList.aspx endpoint of MojoPortal CMS v2.9.0.1 allows attackers to execute arbitrary commands via uploading a crafted zip file.

🤖 AI Analysis
How it works

The vulnerability consists of improper validation of file paths during the extraction of a ZIP archive uploaded through the /DesignTools/SkinList.aspx endpoint. An attacker can craft a ZIP archive containing files with paths that reference parent directories (path traversal), allowing malicious files to be written outside the intended target directory. This makes it possible to place an executable file (e.g., a web shell) in any location accessible to the web server, leading to the execution of arbitrary system commands.

Impact

An attacker can gain full control over the server — execute arbitrary system commands, read and modify data, and potentially take control of the entire infrastructure hosting the application (full confidentiality, integrity, and availability of the system are at risk).

Mitigation & patch

MojoPortal CMS should be updated to version 2.9.1 or newer, available at https://www.mojoportal.com/mojoportal-2-9-1. Until the patch is deployed, it is recommended to restrict access to the /DesignTools/SkinList.aspx endpoint only to trusted, authenticated administrative users at the firewall or web server level.

Who is affected

MojoPortal CMS version 2.9.0.1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Path Traversal
CWE
References