A critical security vulnerability has been revealed in Cegid Meta4 HR, exposing an Unrestricted Upload of File flaw that empowers attackers to upload malicious files to the server through the ‘/config/espanol/update_password.jsp’ file. By manipulating the ‘M4_NEW_PASSWORD’ parameter, attackers can store a malicious JSP file in the file directory, which may then be executed when loaded in the application. This vulnerability is classified as high-severity with a CVSS base score of 9.0, indicating its critical nature and the substantial risk it poses. Swift action is imperative to address this vulnerability and mitigate the potential impact of exploitation. Further details and guidance on remediation can be accessed through the provided advisory. Organizations and individuals utilizing Cegid Meta4 HR are strongly urged to promptly address this critical security concern to safeguard their systems against potential exploitation and security risks.
The potential impact of unauthorized file uploads, and the associated risks pertaining to data confidentiality, integrity, and availability, underscores the critical nature of this vulnerability. Organizations are advised to promptly access the provided advisory from the Spanish National Cybersecurity Institute, S.A. (INCIBE) to obtain detailed information on this security vulnerability and actionable guidance for remediation.
