CVE-2018-14857

Name of the Vulnerable Software and Affected Versions OCS Inventory Server versions prior to 2.5

Description The issue allows a privileged user to gain access to the server via a template file containing PHP code. This is due to unrestricted file upload in the require/mail/NotificationMail.php file in Webconsole, where file extensions other than .html are permitted.

Recommendations For versions prior to 2.5, restrict file uploads to only allow .html extensions to prevent remote code execution. As a temporary workaround, consider disabling the file upload feature in the Webconsole until a patch is available.