CVE-2020-25237

Name of the Vulnerable Software and Affected Versions: SINEC NMS versions prior to V1.0 SP1 Update 1 SINEMA Server versions prior to V14.0 SP2 Update 2

Description: A vulnerability has been identified that allows an attacker to create or overwrite arbitrary files on an affected system. This occurs when uploading files to the system using a zip container, as the system fails to correctly check if the relative file path of the extracted files is still within the intended target directory. This type of issue is also known as 'Zip-Slip'.

Recommendations: For SINEC NMS versions prior to V1.0 SP1 Update 1, update to V1.0 SP1 Update 1 or later to resolve the issue. For SINEMA Server versions prior to V14.0 SP2 Update 2, update to V14.0 SP2 Update 2 or later to resolve the issue. As a temporary workaround, consider restricting file uploads or limiting access to the extractToFolder function in FirmwareFileUtils until a patch is available.