CVE-2022-44006

Name of the Vulnerable Software and Affected Versions BACKCLICK Professional version 5.9.63

Description An issue was discovered due to improper validation or sanitization of upload filenames, allowing an externally reachable, unauthenticated update function to write files outside the intended target location. This can lead to remote code execution, for example, by uploading an executable file.

Recommendations For BACKCLICK Professional version 5.9.63, consider disabling the unauthenticated update function until a patch is available to prevent writing files outside the intended target location and minimize the risk of remote code execution. Restrict access to the update function to minimize the risk of exploitation. Avoid using the update function with unvalidated or unsanitized filenames until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.