CVE-2021-45887

Name of the Vulnerable Software and Affected Versions PONTON X/P Messenger versions prior to 3.11.2

Description An issue was discovered due to path traversal in private/SchemaSetUpload.do for uploaded ZIP files. This allows an executable script to be uploaded by web application administrators, giving the attacker remote code execution on the underlying server via an imgs/*.jsp URI.

Recommendations For versions prior to 3.11.2, update to version 3.11.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the private/SchemaSetUpload.do endpoint and limiting the ability to upload ZIP files to prevent potential exploitation.