A zip slip vulnerability in the /DesignTools/SkinList.aspx endpoint of MojoPortal CMS v2.9.0.1 allows attackers to execute arbitrary commands via uploading a crafted zip file.
The vulnerability consists of improper validation of file paths during the extraction of a ZIP archive uploaded through the /DesignTools/SkinList.aspx endpoint. An attacker can craft a ZIP archive containing files with paths that reference parent directories (path traversal), allowing malicious files to be written outside the intended target directory. This makes it possible to place an executable file (e.g., a web shell) in any location accessible to the web server, leading to the execution of arbitrary system commands.
An attacker can gain full control over the server — execute arbitrary system commands, read and modify data, and potentially take control of the entire infrastructure hosting the application (full confidentiality, integrity, and availability of the system are at risk).
MojoPortal CMS should be updated to version 2.9.1 or newer, available at https://www.mojoportal.com/mojoportal-2-9-1. Until the patch is deployed, it is recommended to restrict access to the /DesignTools/SkinList.aspx endpoint only to trusted, authenticated administrative users at the firewall or web server level.
MojoPortal CMS version 2.9.0.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H