Impact
All known versions to date, up to 5.0.3 later versions will have the fix.
Patches
Hotfix notes & download
Hotfix download
Notes
Please upload & install the following ASAP hotfix
Applies to versions 4.20.43 up to 5.0.3, later versions will have the hotfix integrated.
Do not install on other versions or you may break your system.
Versions prior to 4.20.43 must update up to 4.20.43 before attempting to install this hotfix.
A security research team reported to us the severe following RCE vulnerability:
- A backoffice user can be created without permissions via a crafted request
- This user can then disable the security of the application (WAF, Web Application Firewall)
- This user can then upload a crafted zip file containing a malicious file
- This user can then execute the malicious file/code (The said RCE)
What we have done to patch this RCE:
- We have prevented the creation of a backoffice user without permissions
- We have added a new security layer to prevent the disabling of the security of the application:
- Everything related to the WAF, Web Application Firewall, is now only available via the CLI, Command Line Interface
- We have added a new security layer to prevent the upload of a crafted zip file containing a malicious file
New set of CLI commands
waf:status
Get the Web Application Firewall status.
waf:enable
Enables the Web Application Firewall.
waf:disable
Disables the Web Application Firewall.
waf:extension:list
Lists the allowed extensions in the Web Application Firewall.
waf:extension:allow [extension]
Allows an extension in the Web Application Firewall.
waf:extension:disallow [extension]
Disallows an extension in the Web Application Firewall.
Disclaimer: Legal Consequences of Exploiting Known Vulnerabilities
This document serves as a reminder and warning to all individuals who come across this information. The purpose of this disclaimer is to educate and caution against engaging in any unauthorized activities that involve exploiting known vulnerabilities to gain malicious access to computer systems, networks, or data that they do not own or have explicit permission to access. Such actions are not only ethically questionable but also subject to severe legal repercussions under various national and international laws.
- Unauthorized Access: Utilizing known vulnerabilities in computer systems, software, or networks without explicit authorization is considered a breach of trust and may lead to unauthorized access to sensitive information.
- Legal Violations: Engaging in activities that exploit vulnerabilities with the intent of unauthorized access, data theft, disruption of services, or any other form of malicious intent is illegal. Laws related to computer fraud, hacking, and unauthorized access can vary by jurisdiction but generally carry significant penalties.
- Ethical Responsibility: The cybersecurity community emphasizes responsible disclosure of vulnerabilities to appropriate parties, such as software vendors, before publicizing or exploiting them. Deliberate attempts to exploit vulnerabilities without proper authorization violate ethical standards within the industry.
- Consequences: Individuals found guilty of exploiting vulnerabilities for malicious purposes may face criminal charges, fines, civil suits, and potential imprisonment, depending on the jurisdiction and severity of the offense.
- No Endorsement: This disclaimer does not endorse or encourage any form of illegal or unethical activities. It exists to raise awareness about the legal and ethical ramifications associated with exploiting known vulnerabilities.
- Education and Research: While learning about vulnerabilities, security testing, and penetration testing can be valuable for educational and research purposes, it is crucial to adhere to legal guidelines and ethical standards.
- Seek Legal Advice: If you have questions about the legality of your actions or potential research, seek advice from a qualified legal professional who specializes in cybersecurity and internet law.
In conclusion, the exploitation of known vulnerabilities for malicious purposes is strictly prohibited by law and ethics. The creators of this disclaimer urge all individuals to act responsibly, ethically, and within the confines of the law when engaging with information related to cybersecurity vulnerabilities. Remember that promoting a safe and secure digital environment benefits all stakeholders in the long run.
By continuing to read or interact with this document, you acknowledge your understanding of the content within this disclaimer and agree to act in accordance with ethical and legal standards.
CVE is pending and will be updated ASAP
Impact
All known versions to date, up to 5.0.3 later versions will have the fix.
Patches
Hotfix notes & download
Hotfix download
Notes
Please upload & install the following ASAP hotfix
Applies to versions 4.20.43 up to 5.0.3, later versions will have the hotfix integrated.
Do not install on other versions or you may break your system.
Versions prior to 4.20.43 must update up to 4.20.43 before attempting to install this hotfix.
A security research team reported to us the severe following RCE vulnerability:
What we have done to patch this RCE:
New set of CLI commands
waf:statusGet the Web Application Firewall status.
waf:enableEnables the Web Application Firewall.
waf:disableDisables the Web Application Firewall.
waf:extension:listLists the allowed extensions in the Web Application Firewall.
waf:extension:allow [extension]Allows an extension in the Web Application Firewall.
waf:extension:disallow [extension]Disallows an extension in the Web Application Firewall.
Disclaimer: Legal Consequences of Exploiting Known Vulnerabilities
This document serves as a reminder and warning to all individuals who come across this information. The purpose of this disclaimer is to educate and caution against engaging in any unauthorized activities that involve exploiting known vulnerabilities to gain malicious access to computer systems, networks, or data that they do not own or have explicit permission to access. Such actions are not only ethically questionable but also subject to severe legal repercussions under various national and international laws.
In conclusion, the exploitation of known vulnerabilities for malicious purposes is strictly prohibited by law and ethics. The creators of this disclaimer urge all individuals to act responsibly, ethically, and within the confines of the law when engaging with information related to cybersecurity vulnerabilities. Remember that promoting a safe and secure digital environment benefits all stakeholders in the long run.
By continuing to read or interact with this document, you acknowledge your understanding of the content within this disclaimer and agree to act in accordance with ethical and legal standards.
CVE is pending and will be updated ASAP