CVE-2023-47314

Name of the Vulnerable Software and Affected Versions Headwind MDM Web panel version 5.22.1

Description The issue allows attackers to upload arbitrary files, including HTML files, to the server. When a victim downloads and opens one of these files, their browser renders the content as a web page, executing any client-side code contained within. This enables attackers to perform common cross-site scripting (XSS) attacks by sharing the download URL with victims. The file upload function, specifically allowing APK and arbitrary files, is the entry point for this issue.

Recommendations For Headwind MDM Web panel version 5.22.1, consider disabling the file upload function temporarily to prevent exploitation until a patch is available. Restrict access to the file download function to minimize the risk of attackers sharing malicious HTML files. Avoid using the file upload feature for sensitive operations until the issue is resolved.