ZSA-2024-01

Date: 2024-04-17
Affected: All versions of Znuny and Znuny LTS from 6.0.31 up to and including 6.5.7. All versions of Znuny from 7.0.1 up to and including 7.0.16.
Severity: high
CVE: CVE-2024-32491

A logged-in user can upload a file (via a manipulated AJAX Request) to an arbitrary writable location by traversing paths. Arbitrary code can be executed if this location is publicly available through the web server.

Thanks to Martino Spagnuolo for reporting.