CVE-2018-19586

Name of the Vulnerable Software and Affected Versions Silverpeas versions 5.15 through 6.0.2

Description The issue is an authenticated Directory Traversal vulnerability that occurs during file uploads. It is caused by the mishandling of a StringUtil.java call in core/webapi/upload/FileUploadData.java. This allows regular users to write arbitrary files on the underlying system with the privileges of the user running the application. An attacker can exploit this to write an executable JSP file in an exposed web directory, enabling them to execute commands on the underlying system.

Recommendations For Silverpeas versions 5.15 through 6.0.2, consider restricting file upload capabilities until a fix is available. As a temporary workaround, restrict access to the FileUploadData.java functionality to minimize the risk of exploitation. Additionally, monitor the system for any suspicious file uploads or modifications, especially in exposed web directories.