MojoPortal CMS version 2.9.0.1 is vulnerable to a critical Zip Slip flaw that enables attackers to achieve remote code execution by uploading malicious archives.

This is a directory traversal vulnerability (Zip Slip) occurring during the extraction of zip files via the /DesignTools/SkinList.aspx endpoint. By crafting a zip file with ".." sequences in filenames, an attacker can write files to arbitrary locations on the server filesystem.

A successful exploit allows for arbitrary file writes, which typically leads to Remote Code Execution (RCE) by overwriting system files or uploading web shells. This results in a total compromise of the server, potential data exfiltration, and significant downtime. The CVSS score of 10 represents the maximum possible risk level.

Immediate Action: Update MojoPortal CMS to the latest secure version and restrict access to the DesignTools directory to trusted administrative IP addresses only.

Proactive Monitoring: Audit the filesystem for unexpected files in the web root and monitor for any suspicious process execution originating from the web server user.

Compensating Controls: Implement file integrity monitoring (FIM) and ensure the web server service runs with the least privilege possible to limit the impact of a file write.

Public Exploit Available: false

With a CVSS score of 10, this vulnerability requires an emergency response. Organizations must patch MojoPortal immediately to prevent attackers from gaining full system-level access through the skin upload functionality.