Researchers from White Oak Security have disclosed critical vulnerabilities including a zero-day flaw that’s yet to be patched in Extensis Portfolio that cumulatively has a user-facing main content management application, an administrator portal, and a content hosting application.
Researchers uncovered an instance of the software, deployed online, with default administrator credentials in use during one of the testings. After examining the security oversight further, the duo found they were able to achieve remote code execution through an unrestricted file upload bug.
The source code of Extensis Portfolio version 3.6.3 has been tested and found a total of five vulnerabilities that required immediate attention:
- CVE-2022-24251 – RCE via unrestricted file upload
- CVE-2022-24255 – Hardcoded credentials in the main and administrator portals (authentication bypass)
- CVE-2022-24252 – Unrestricted file upload and path traversal error leading to RCE in the main portal
- CVE-2022-24254 – Authenticated archive ‘zip-slip’, a directory traversal bug, exploitable for RCE
- CVE-2022-24253 – Authenticated, but unrestricted file upload flaw in admin portal leading to RCE
According to the researchers , Extensis confirmed receipt of the report and recommended that the team test Portfolio Server v.4.0.0, as some fixes had been issued after v.3.6.3. But researchers confirmed that the original RCE vulnerability was unpatched in v4.0.0, and not heard any further details from the vendor
Extensis has been informed that four other critical vulnerabilities also needed to be resolved, and while the vendor provided mitigation options for the unrestricted file upload bug, the company allegedly refused to give a timeline for any further fixes. Extensis said “these security issues had not been prioritized and Extensis did not have an expected date for remediation” according to research team .
Since the patch was not made available at right time and no correct indication , researchers are compelled to make the finding public.