CVE-2020-37080
webTareas · webTareas
webTareas 2.0.p8 contains a file deletion vulnerability in the print_layout.php component, allowing attackers to delete arbitrary files on the server.
Executive summary
A file deletion vulnerability in the webTareas 2.0.p8 administration component allows attackers to delete critical system files, potentially leading to denial-of-service or system instability.
Vulnerability
The 'print_layout.php' component fails to properly validate the 'atttmp1' parameter, allowing an attacker to traverse directories and delete arbitrary files. While the description notes the requirement for authentication, it also highlights an unauthenticated file deletion mechanism, indicating a severe flaw in access control.
Business impact
The ability to delete arbitrary files on the server can result in a complete Denial of Service (DoS) by removing critical configuration or system files. With a CVSS score of 9.8, the potential for catastrophic system failure and data loss is extreme, necessitating urgent remediation.
Remediation
Immediate Action: Update webTareas to the latest version to patch the file deletion logic in the administration component.
Proactive Monitoring: Monitor filesystem integrity and log file deletion events, specifically looking for unauthorized access to the 'print_layout.php' component.
Compensating Controls: Restrict access to the administration interface to trusted IP addresses and ensure the application runs with the minimum necessary filesystem permissions to limit the impact of potential deletions.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
This vulnerability poses a severe risk to system stability. Administrators should apply the vendor-provided patch immediately and review access control configurations to ensure that only authorized personnel can interact with administrative components.