CVE-2022-46899

Name of the Vulnerable Software and Affected Versions Vocera Report Server and Voice Server versions 5.x through 5.8

Description An issue was discovered that allows for Arbitrary File Upload. The BaseController class, which each of the service controllers derives from, permits the upload of arbitrary files. If the HTTP request is a multipart/form-data POST request, any parameters with a filename entry will have their content written to a file in the Vocera upload-staging directory with the specified filename in the parameter.

Recommendations For versions 5.x through 5.8, consider disabling the file upload functionality in the BaseController class until a patch is available. Restrict access to the upload-staging directory to minimize the risk of exploitation. Avoid using parameters with filename entries in multipart/form-data POST requests to affected API endpoints until the issue is resolved.