SUMMARY
The following vulnerability was found in VisualWare MyConnection Server 11.0 – 11.0b.
An unauthenticated remote code execution vulnerability was discovered in Visualware MyConnection Server 11.0 through 11.0b build 5382. The web endpoint at “https://example.com/myspeed/sf” provides an unauthenticated user the ability to upload an arbitrary file to an arbitrary location via a specially crafted POST request. This application is written in Java and is thus cross-platform. The Windows installation executes the web server as SYSTEM which means that exploitation provides Administrator privileges on the target system.
IMPACT
Access Vector:Â Â Â REMOTE
Access Complexity:Â Â LOW
Authentication:Â Â Â NOT REQUIRED TO EXPLOIT
Impact Type:Â Â CODE EXECUTION
Privilege Level:Â Â VARIES