Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Samsung Electronics MagicINFO 9 Server allows Upload a Web Shell to a Web Server.This issue affects MagicINFO 9 Server: less than 21.1080.0
The vulnerability consists of lack of proper file path restriction to allowed directories (CWE-22 — path traversal). An attacker can upload a file outside the designated target directory by placing it in a location accessible through the web server. This makes it possible to upload a web shell — a malicious script executed server-side — without requiring any authentication (PR:N, UI:N in the CVSS vector).
Attacker gains the ability to remotely execute arbitrary code on the server through the uploaded web shell, which may lead to complete system takeover, data breach, configuration modification, or further lateral movement in the network.
Samsung MagicINFO 9 Server must be immediately updated to version 21.1080.0 or later. Patch details are available from the vendor at: https://security.samsungtv.com/securityUpdates
Samsung MagicINFO 9 Server in all versions prior to 21.1080.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HSamsung Magicinfo 9 Server
APPSamsung< 21.1080.0
Related vulnerabilities
Path Traversal w Samsung MagicINFO 9 Server — zapis plików jako SYSTEM
Samsung MagicINFO 9 Server — Stored XSS przez upload plików HTML
Zakodowane na stałe dane logowania do bazy danych w Samsung MagicINFO 9 Server
Path Traversal w Samsung MagicINFO 9 Server umożliwia wgranie web shell
Samsung MagicINFO 9 Server — nieograniczony upload pliku umożliwia Code Injection