Vulnerability CVE-2021-40845


Published: 2021-09-15

Description:
The web part of Zenitel AlphaCom XE Audio Server through 11.2.3.10, called AlphaWeb XE, does not restrict file upload in the Custom Scripts section at php/index.php. Neither the content nor extension of the uploaded files is checked, allowing execution of PHP code under the /cmd directory.

See advisories in our WLB2 database:
Topic
Author
Date
High
AlphaWeb XE File Upload Remote Code Execution (Authenticated)
Ricardo Ruiz (@r...
15.09.2021
High
Zenitel AlphaCom XE Audio Server 11.2.3.10 Shell Upload
Ricardo Jose Rui...
17.09.2021

Type:

CWE-264

(Permissions, Privileges, and Access Controls)

 References:
https://ricardojoserf.github.io/CVE-2021-40845/
https://github.com/ricardojoserf/CVE-2021-40845
http://packetstormsecurity.com/files/164149/Zenitel-AlphaCom-XE-Audio-Server-11.2.3.10-Shell-Upload.html

Copyright 2024, cxsecurity.com

 

Back to Top