Hej, Let's keep it short ... ===== Intro ===== A "sudo make me a sandwich" security issue has been identified in the TX Text Control .NET Server for ASP.NET[1]. According to the vendor[2], "the most powerful, MS Word compatible document editor that runs in all browsers". Likely all versions are affected however, it was not confirmed. ===== Issue ===== It was possible to change the configured system path for reading and writing files in the underlying operating system with privileges of the user running a web application. This could be achieved by calling the setfiledirectory() function exposed via JavaScript API[3]. === PoC === -- cut -- TXTextControl.setFileDirectory(0, "c:\\") -- cut -- See also the attached image file for details. =========== Remediation =========== Contact the vendor[4] directly for remediation guidance. ======== Timeline ======== 14.10.2024: Security contact requested from sales.department@textcontrol.com . 31.10.2024: CVE requested from MITRE. ......2024: Nobody cares. 12.11.2024: The advisory has been released. ========== References ========== [1] https://www.textcontrol.com/products/asp-dotnet/tx-text-control-dotnet-server/overview/ [2] https://www.textcontrol.com [3] https://docs.textcontrol.com/textcontrol/asp-dotnet/ref.javascript.txtextcontrol.setfiledirectory.method.htm [4] https://www.textcontrol.com/contact/email/general/ Cheers, Filip Palian