Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0.
The vulnerability (CWE-434) consists of the lack of proper validation and restrictions on the types of files uploaded in the MagicINFO 9 Server application. An attacker can send a network request containing a file of a dangerous type (e.g., a server-side executable script) without needing to have any permissions. After upload, the server may process or execute such a file, resulting in code injection and execution in the context of the server process.
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code remotely on the server (RCE), and as a consequence, gain full control over the system, including violation of data confidentiality, integrity, and availability.
Samsung MagicINFO 9 Server must be updated immediately to version 21.1080.0 or later. Detailed information about available patches is available in the manufacturer's references: https://security.samsungtv.com/securityUpdates
Samsung MagicINFO 9 Server in all versions prior to 21.1080.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HSamsung Magicinfo 9 Server
APPSamsung< 21.1080.0
Related vulnerabilities
Path Traversal w Samsung MagicINFO 9 Server — zapis plików jako SYSTEM
Samsung MagicINFO 9 Server — Stored XSS przez upload plików HTML
Zakodowane na stałe dane logowania do bazy danych w Samsung MagicINFO 9 Server
Path Traversal w Samsung MagicINFO 9 Server umożliwia wgranie web shell
Samsung MagicINFO 9 Server — nieograniczony upload pliku umożliwia Code Injection