CVE-2021-43099

Name of the Vulnerable Software and Affected Versions bbs version 5.3

Description The issue is related to an Archive Extraction vulnerability, also known as "Zip Slip", which exists in the UpgradeNow function in UpgradeManageAction.java. This vulnerability allows the unzipping of arbitrary uploaded zip files without checking filenames, making it possible to exploit using a specially crafted archive that holds directory traversal filenames, such as ../../evil.exe.

Recommendations For bbs version 5.3, consider disabling the UpgradeNow function in UpgradeManageAction.java until a patch is available to prevent the exploitation of this issue. Restrict access to the UpgradeManageAction.java module to minimize the risk of exploitation. Avoid using the UpgradeNow function with untrusted zip files until the issue is resolved.