CVE-2022-39812

Name of the Vulnerable Software and Affected Versions Italtel NetMatch-S CI version 5.2.0-20211008

Description The issue allows an unauthenticated user to upload files to an arbitrary path due to Absolute Path Traversal under NMSCI-WebGui/SaveFileUploader. An attacker can modify the uploadDir parameter in a POST request to an arbitrary directory. Since the application does not verify the upload directory, this can lead to unauthorized access to the server.

Recommendations For Italtel NetMatch-S CI version 5.2.0-20211008, consider restricting access to the NMSCI-WebGui/SaveFileUploader to prevent unauthorized file uploads until a patch is available. As a temporary workaround, restrict modifications to the uploadDir parameter in POST requests to prevent arbitrary directory uploads. At the moment, there is no information about a newer version that contains a fix for this vulnerability.