SUMMARY
The following vulnerability was found in VisualWare MyConnection Server 11.0 – 11.0b.
An unauthenticated remote code execution vulnerability was discovered in Visualware MyConnection Server 11.0 through 11.0b build 5382. The web endpoint at “https://example.com/myspeed/sf” provides an unauthenticated user the ability to upload an arbitrary file to an arbitrary location via a specially crafted POST request. This application is written in Java and is thus cross-platform. The Windows installation executes the web server as SYSTEM which means that exploitation provides Administrator privileges on the target system.
IMPACT
Access Vector: REMOTE
Access Complexity: LOW
Authentication: NOT REQUIRED TO EXPLOIT
Impact Type: CODE EXECUTION
Privilege Level: VARIES