The DVC from TRCore has a Path Traversal vulnerability and does not restrict the types of uploaded files. This allows unauthenticated remote attackers to upload arbitrary files to any directory, leading to arbitrary code execution by uploading webshells.
The vulnerability results from two related weaknesses: lack of proper path validation during file uploads (path traversal, CWE-22/CWE-23) and lack of restrictions on accepted file types (CWE-434). An unauthenticated attacker can send an HTTP request containing a malicious file (e.g., PHP/ASP webshell) with a manipulated target path. Through path traversal, the file is placed outside the intended directory — directly into a location accessible by the web server. After placing the webshell on the server, the attacker can invoke it through a browser and execute arbitrary system commands.
An attacker gains the ability to execute arbitrary code on the server (RCE) with the privileges of the web server process, which may result in complete system takeover, data theft, and further lateral movement in the network.
Apply patches available from the vendor in accordance with references published by TWCERT/CC (https://www.twcert.org.tw/en/cp-139-8255-0bb1a-2.html). Until updates are applied, consider disabling file upload functionality or restricting application access exclusively to trusted networks.
TRCore's DVC product — specific versions indicated in vendor references (TWCERT/CC).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HTrcore Dvc
APPTrcore6.0 – 6.4 (bez)
Related vulnerabilities
Path Traversal i unrestricted file upload w TRCore DVC — RCE bez uwierzytelnienia
Path Traversal i nieograniczony upload plików w TRCore DVC — RCE
Path Traversal i nieograniczony upload plików w TRCore DVC umożliwiający RCE
TRCore DVC — Path Traversal i nieograniczony upload plików prowadzący do RCE
The DVC from TRCore has a Path Traversal vulnerability, allowing unauthenticated remote attackers to exploit t...