IQID:13367 HTTP Notes 4.5 Arbitrary File Upload S

IQID: 13367 - June 2016

A arbitrary file upload web vulnerability has been discovered in the official Notes v4.5 iOS mobile web-application (wifi). The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests via POST. The web vulnerability is located in the `filename` values of the `Upload File` module. Remote attackers are able to inject own files with malicious `filename` values in the `upload.action` POST method request to compromise the mobile web-application. The arbitrary file upload execute occcurs in the index file dir listing of the wifi interface. The attacker is able to inject the local file upload form request by usage of the `wifi interface` in connection with the vulnerable upload service module. The security risk of the vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.4. Exploitation of the arbitrary file upload vulnerability requires no user interaction or privileged web-application user account. Successful exploitation of the arbitrary file upload web vulnerability results in mobile web-application or device compromise.

A Full Description is available for this threat, please sign in for access to Full Description.

 

Attack Data

Attack Data is available for this threat, please sign in for access to Attack Data.

 

CVSS Information

CVSS Information is available for this threat, please sign in for access to CVSS Information.

 

Date

Date Information is available for this threat, please sign in for access to Date Information.