CVE-2024-32491

Name of the Vulnerable Software and Affected Versions Znuny versions 6.0.31 through 6.5.7 Znuny versions 7.0.1 through 7.0.16

Description An issue allows a logged-in user to upload a file to an arbitrary writable location by traversing paths via a manipulated AJAX request. If this location is publicly available through the web server, arbitrary code can be executed. The vulnerability is related to the Filename parameter in the FormIDAddFile function of Kernel/System/Web/UploadCache/DB.pm.

Recommendations For Znuny versions 6.0.31 through 6.5.7, upgrade to a newer version to mitigate the risk of remote attacks. For Znuny versions 7.0.1 through 7.0.16, upgrade to a newer version to mitigate the risk of remote attacks. As a temporary workaround, consider restricting access to the FormIDAddFile function in Kernel/System/Web/UploadCache/DB.pm until a patch is available. Avoid using the Filename parameter in the affected upload functionality until the issue is resolved.