PT-2019-11284 · .Net+1 · Moxiemanager+1

Published

2019-03-25

Updated

2019-09-20

CVE-2019-10012

CVSS v3.1

7.5

High

Vector

AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: Jenzabar JICS (aka Internet Campus Solution) versions prior to 9

Description: The issue allows remote attackers to upload and execute arbitrary .aspx code. This is achieved by placing the code in a ZIP archive and using the MoxieManager (for .NET) plugin before 2.1.4 in the moxiemanager directory within the installation folder ICSICS.NETICSFileServer.

Recommendations: For versions prior to 9, update to version 9 or later to resolve the issue. As a temporary workaround, consider restricting access to the MoxieManager plugin or removing it until a patch is applied. Avoid using the moxiemanager directory for uploading ZIP archives until the issue is resolved.

Exploit

Fix

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

CVE-2019-10012

Affected Products

Jenzabar Jics

Moxiemanager

PT-2019-11284 · .Net+1 · Moxiemanager+1

CVE-2019-10012

Weakness Enumeration

Related Identifiers

Affected Products

References · 5