Welotec SmartEMS Path Traversal Vulnerability Leading to Arbitrary File Write and Potential Remote Code Execution

A path traversal vulnerability has been identified in the Welotec SmartEMS Web Application, affecting versions prior to 3.3.6. The issue arises because the upload endpoint does not properly validate the 'Upload-Key' request header. This flaw allows authenticated attackers to manipulate upload data and place it outside the designated storage area. In certain configurations, this could be exploited to write arbitrary files, potentially leading to remote code execution.

Impact

Exploitation of this vulnerability allows authenticated attackers to write files outside the intended upload directory, with the possibility of overwriting existing files or placing files in sensitive locations. Depending on filesystem permissions and the execution context, this could be escalated to remote code execution.

Remediation

Users are advised to update SmartEMS to version 3.3.6, which addresses this vulnerability. Additionally, access to the SmartEMS Web UI should be restricted to trusted admin networks or VPNs, and strong credentials should be enforced, with active tokens or sessions rotated or revoked as necessary.