Wallos <=2.38.2 has a file upload vulnerability in the restore database function, which allows unauthenticated users to restore database by uploading a ZIP file. The contents of the ZIP file are extracted on the server. This functionality enables an unauthenticated attacker to upload malicious files to the server. Once a web shell is installed, the attacker gains the ability to execute arbitrary commands.
The database restore function accepts uploaded ZIP files without verifying user identity (no authentication). The contents of the uploaded ZIP archive are automatically extracted on the server side without proper content validation. An attacker can place a malicious file (e.g., web shell) in the archive, which after extraction is saved in an accessible location on the server. After installing the web shell, the attacker gains the ability to execute arbitrary system commands.
An unauthenticated remote attacker can gain full control over the server by installing a web shell and executing arbitrary commands, leading to violations of system confidentiality, integrity, and availability.
Wallos should be updated to a version higher than 2.38.2 according to information available from the vendor and in references. Until the patch is deployed, it is recommended to restrict access to the database restore functionality at the firewall or reverse proxy level.
Wallos (Wallosapp) in versions 2.38.2 and earlier
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HWallosapp Wallos
APPWallosapp≤ 2.38.2
Related vulnerabilities
Wallos – niebezpieczny upload pliku ZIP umożliwiający RCE
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, Wallos endpoint...
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the SSRF fix ap...
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the patch intro...
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, there is a serv...