CVE-2018-17058

Name of the Vulnerable Software and Affected Versions: JABA XPress Online Shop versions through 2018-09-14

Description: An issue was discovered in the picture-upload feature of ProductEdit.aspx, allowing an arbitrary file upload vulnerability. An authenticated attacker can bypass frontend filename validation and upload an arbitrary file via FileUploader.aspx.cs in FileUploader.aspx by using empty w and h parameters. The uploaded file may contain arbitrary aspx code that can be executed by accessing "/Jec/ProductImages//". Notably, accessing the file once uploaded does not require authentication.

Recommendations: For JABA XPress Online Shop versions through 2018-09-14, consider disabling the picture-upload feature in ProductEdit.aspx until a patch is available. Restrict access to the FileUploader.aspx.cs file to minimize the risk of exploitation. Avoid using empty w and h parameters in the FileUploader.aspx file to prevent arbitrary file uploads.