Path traversal and content injection in JobRunnerBackground.aspx in DynamicWeb 8 (all) and 9 (<9.19.7 and <9.20.3) allows unauthenticated attackers to execute code via simple web requests
The vulnerability results from a combination of path traversal vulnerability (CWE-22) with content injection capability in the JobRunnerBackground.aspx component. An attacker, without possessing any authentication credentials, can craft an HTTP request that traverses outside the allowed filesystem area and then inject and execute malicious server-side code. The entire attack requires no user interaction or special prerequisites.
An attacker gains the ability to execute arbitrary code remotely on the server (RCE), which in practice means full system takeover, data breach, and potential lateral movement within the internal network.
DynamicWeb 9 must be immediately updated to version 9.19.7 or 9.20.3 (or newer). For DynamicWeb 8, patches available from the manufacturer should be applied according to references (https://doc.dynamicweb.dev/documentation/fundamentals/dw10release/security-reports.html). Until patches are applied, it is recommended to restrict access to the JobRunnerBackground.aspx endpoint at the firewall or web server rules level.
DynamicWeb 8 (all versions) and DynamicWeb 9 in versions below 9.19.7 and below 9.20.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X