ricardojoserf/CVE-2021-40845

GitHub

github.com

nvd.nist.gov

Releases0

Stars2

AlphaWeb XE, the embedded web server running on AlphaCom XE, has a vulnerability which allows to upload PHP files leading to RCE once the authentication is successful - https://ricardojoserf.github.io/CVE-2021-40845/

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2021-40845 ↗	Sep 15, 2021Wednesday, 15 September 2021, 13:15	8.8 HIGH	6.5 MEDIUM
The web part of Zenitel AlphaCom XE Audio Server through 11.2.3.10, called AlphaWeb XE, does not restrict file upload in the Custom Scripts section at php/index.php. Neither the content nor extension of the uploaded files is checked, allowing execution of PHP code under the /cmd directory.