An arbitrary file upload vulnerability in SigningHub v8.6.8 allows attackers to execute arbitrary code via uploading a crafted PDF file.
The vulnerability classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) results from a lack of proper validation of uploaded files on the server side. An attacker can upload a crafted PDF file containing a malicious payload, which is then processed or executed by the application. This enables remote code execution (RCE) without the need for any permissions.
An attacker can gain full control of the server, including access to sensitive data, modification of system content, and disruption of its operation. It is possible to compromise the entire application environment without prior authentication.
Apply patches available from the manufacturer according to references. Additionally, it is recommended to implement server-side controls that verify the type and content of uploaded files, as well as restrict the ability to execute files in directories where users can upload files.
Ascertia SigningHub in version 8.6.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HAscertia Signinghub
APPAscertia≤ 8.6.8
Related vulnerabilities
Brak rate limiting w funkcji resetowania hasła w Ascertia SigningHub
Brak rate limiting w SigningHub umożliwia atak brute force na logowanie
Incorrect access control in SigningHub v8.6.8 allows attackers to arbitrarily add user accounts without any ra...
A lack of rate limiting in the component /Home/UploadStreamDocument of SigningHub v8.6.8 allows attackers to c...
A lack of rate limiting in the One-Time Password (OTP) verification endpoint of SigningHub v8.6.8 allows attac...