An input neutralization vulnerability in the File Operations API Endpoint component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal.
The File Operations API Endpoint component does not properly sanitize input data containing path traversal sequences (e.g., '../'). An attacker with only basic authentication can use a specially crafted network request to escape the allowed directory and gain access to arbitrary system files. By modifying or tampering with files, it is possible to ultimately achieve remote code execution (RCE) on the server hosting the application.
An attacker can read, modify, or overwrite any files accessible to the application process, which ultimately leads to complete server takeover through remote code execution.
Security patches provided by the vendor should be applied according to references (https://gitlab.com/crafty-controller/crafty-4/-/issues/660). Until patches are implemented, it is recommended to restrict access to the API exclusively to trusted, authenticated users and to monitor logs for suspicious requests to File Operations endpoints.
Craftycontrol Crafty Controller — versions indicated in vendor references
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:LCraftycontrol Crafty Controller
APPCraftycontrol4.7.0
Related vulnerabilities
IDOR w Crafty Controller — nieautoryzowana modyfikacja kont użytkowników
RCE przez Server Side Template Injection w Crafty Controller (Webhook Template)
An input neutralization vulnerability in the Backup Configuration component of Crafty Controller allows a remo...
An input neutralization vulnerability in the Server MOTD component of Crafty Controller allows a remote, unaut...
An input neutralization vulnerability in the Server Name form and API Key form components of Crafty Controller...