Advantive VeraCore Upload Validation Vulnerability Allowing File Uploads to Unintended Directories

An upload validation vulnerability has been identified in Advantive VeraCore versions prior to 2024.4.2.1. This vulnerability allows remote authenticated users to upload files to unintended directories that may be accessible during web browsing by other users. The issue arises because the application only verifies the size of the uploaded files, and if not properly configured, the uploaded files can be accessed via the web server.

Impact

Exploitation of this vulnerability could lead to unauthorized file uploads, which could be used to execute malicious code or access sensitive information, depending on the nature of the uploaded files.

Reproduction

The vulnerability can be reproduced by logging into the VeraCore application and navigating to the upload feature. Once authenticated, files can be uploaded to various directories, including those that are publicly accessible through the web server.

Remediation

Users are advised to update to Advantive VeraCore version 2024.4.2.1 or later, where this vulnerability has been addressed.