CVE-2019-18643

Name of the Vulnerable Software and Affected Versions Rock RMS versions before 8.10 Rock RMS versions 9.0 through 9.3

Description The issue is related to the improper validation of files uploaded in the application, where the only protection mechanism is a file-extension blacklist. This blacklist can be bypassed by adding multiple spaces and periods after the file name, potentially allowing an attacker to upload ASPX code and gain remote code execution on the application. The application typically runs as LocalSystem.

Recommendations For Rock RMS versions before 8.10, update to version 8.10 to resolve the issue. For Rock RMS versions 9.0 through 9.3, update to version 9.4 to resolve the issue. As a temporary workaround, consider restricting file uploads or implementing additional validation mechanisms to minimize the risk of exploitation.