CVE-2023-46253

Name of the Vulnerable Software and Affected Versions Squidex versions (affected versions not specified)

Description The issue concerns an arbitrary file write vulnerability in the backup restore feature of Squidex, allowing an authenticated attacker with the squidex.admin.restore permission to gain remote code execution (RCE). This occurs because the BackupAssets.ReadAssetAsync method does not properly sanitize the assetId when storing assets in the filestore, enabling an attacker to run arbitrary operating system commands on the underlying server.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.