CVE-2020-35656

Name of the Vulnerable Software and Affected Versions Jaws versions 1.8.0 and earlier

Description The issue allows remote authenticated administrators to execute arbitrary code via crafted use of "admin.php?reqGadget=Components&reqAction=InstallGadget&comp=FileBrowser" and "admin.php?reqGadget=FileBrowser&reqAction=Files" to upload a .php file. This is unrelated to the JAWS (aka Job Access With Speech) product.

Recommendations For versions 1.8.0 and earlier, as a temporary workaround, consider disabling the use of the admin.php endpoint with reqGadget and reqAction parameters until a patch is available. Restrict access to the FileBrowser component to minimize the risk of exploitation. Avoid using the comp and reqAction parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.