Omar Mezrag

**Name of the Vulnerable Software and Affected Versions** Web Viewer version 1.0.0.193 **Description** The issue allows remote authenticated attackers to upload and execute arbitrary PHP code via a filename with a .php extension in the "network ssl upload.php" endpoint. This is achieved by accessing the uploaded file directly in the upload/ directory. Authentication for this attack can be obtained by leveraging an existing Local File Read issue, which allows remote attackers to read web-interface credentials in cleartext via a request to the "cslog export.php?path=/root/php modules/lighttpd/sbin/userpw" URI. **Recommendations** For Web Viewer version 1.0.0.193, restrict access to the "network ssl upload.php" endpoint to prevent arbitrary PHP code execution. As a temporary workaround, consider disabling the upload functionality in the "network ssl upload.php" endpoint until a patch is available. Additionally, restrict access to the "cslog export.php" endpoint to minimize the risk of credential exposure.