{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/zip-slip/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["openmrs-web (\u003c= 2.7.8)","openmrs-web (\u003e= 2.8.0, \u003c= 2.8.5)"],"_cs_severities":["critical"],"_cs_tags":["path-traversal","zip-slip","rce","openmrs","web-application"],"_cs_type":"advisory","_cs_vendors":["OpenMRS"],"content_html":"\u003cp\u003eOpenMRS, an open-source enterprise electronic medical record system platform, is vulnerable to a path traversal (Zip Slip) vulnerability in its module upload functionality. Discovered in versions 2.7.8 and earlier, as well as versions 2.8.0 through 2.8.5, the vulnerability resides in the \u003ccode\u003ePOST /openmrs/ws/rest/v1/module\u003c/code\u003e endpoint. An authenticated attacker with administrative privileges can exploit this flaw by uploading a specially crafted \u003ccode\u003e.omod\u003c/code\u003e archive containing malicious ZIP entries with directory traversal sequences. This can allow the attacker to write files outside of the intended module directory, potentially leading to arbitrary file write and remote code execution on the server. The vulnerability stems from incomplete path validation within the \u003ccode\u003eWebModuleUtil.startModule()\u003c/code\u003e function, an oversight compared to other extraction methods within the same codebase that are properly protected.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the OpenMRS instance with valid admin credentials via Basic Auth.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003e.omod\u003c/code\u003e file containing a ZIP entry with a path traversal payload, such as \u003ccode\u003eweb/module/../../../../\u0026lt;target_filename\u0026gt;.jsp\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a \u003ccode\u003ePOST\u003c/code\u003e request to the \u003ccode\u003e/openmrs/ws/rest/v1/module\u003c/code\u003e endpoint, uploading the malicious \u003ccode\u003e.omod\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe server receives the request and parses the uploaded \u003ccode\u003e.omod\u003c/code\u003e file, treating it as a ZIP archive.\u003c/li\u003e\n\u003cli\u003eDuring module loading via \u003ccode\u003eWebModuleUtil.startModule()\u003c/code\u003e, the server extracts entries under the \u003ccode\u003eweb/module/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eDue to an incomplete check, the entry \u003ccode\u003eweb/module/../../../../\u0026lt;target_filename\u0026gt;.jsp\u003c/code\u003e passes the initial validation.\u003c/li\u003e\n\u003cli\u003eThe server attempts to write the extracted file to a path constructed by concatenating the traversed path, resulting in writing the file outside the intended \u003ccode\u003eWEB-INF/view/module/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eIf the written file is a JSP script, accessing it via a browser triggers server-side execution, achieving Remote Code Execution (RCE).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to write arbitrary files within the web application root directory of the OpenMRS instance. This can lead to remote code execution, allowing the attacker to gain complete control of the affected server. Given OpenMRS\u0026rsquo;s use in healthcare environments, a successful attack could compromise sensitive patient data, disrupt medical operations, and damage the reputation of the affected organization. The number of potentially affected installations is unknown, but the vulnerability impacts a widely used version of the platform.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade to a version of OpenMRS that includes the fix for CVE-2026-40076 to address the path traversal vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect OpenMRS Malicious Module Upload\u003c/code\u003e to identify exploitation attempts based on HTTP requests to the \u003ccode\u003e/openmrs/ws/rest/v1/module\u003c/code\u003e endpoint with suspicious file extensions in the query parameters.\u003c/li\u003e\n\u003cli\u003eEnable webserver logging to capture HTTP request data and facilitate detection and investigation efforts.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events within the web application root directory for suspicious JSP files. Use the Sigma rule \u003ccode\u003eDetect JSP File Creation in Web Application Root\u003c/code\u003e as a starting point.\u003c/li\u003e\n\u003cli\u003eEnforce the \u003ccode\u003emodule.allow_web_admin\u003c/code\u003e restriction consistently across all module upload entry points, including the REST API to prevent bypass.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T17:39:31Z","date_published":"2026-05-04T17:39:31Z","id":"/briefs/2024-01-openmrs-zip-slip/","summary":"OpenMRS versions 2.7.8 and earlier, as well as versions 2.8.0 through 2.8.5, are vulnerable to a path traversal (Zip Slip) attack via the `POST /openmrs/ws/rest/v1/module` endpoint that allows authenticated attackers to achieve arbitrary file write and remote code execution.","title":"OpenMRS Module Upload Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-openmrs-zip-slip/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["ci4-cms-erp/ci4ms"],"_cs_severities":["critical"],"_cs_tags":["zip-slip","rce","code-injection","vulnerability"],"_cs_type":"advisory","_cs_vendors":["composer"],"content_html":"\u003cp\u003eA Zip Slip vulnerability exists in the CI4MS backup restore functionality. Authenticated users with backup creation permissions can exploit this by uploading a specially crafted ZIP archive. The vulnerability lies in the \u003ccode\u003eBackup::restore\u003c/code\u003e function (modules/Backup/Controllers/Backup.php), where the application extracts the uploaded ZIP without proper validation of the entry names. This allows an attacker to write files to arbitrary locations, including the public web root, leading to remote code execution (RCE). This vulnerability affects CI4MS versions prior to 0.31.5.0. By crafting a ZIP file with malicious paths, attackers can bypass intended directory restrictions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated user with \u003ccode\u003ecreate\u003c/code\u003e role accesses the vulnerable \u003ccode\u003e/backend/backup/restore\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious ZIP archive containing a PHP file (e.g., \u003ccode\u003eshell.php\u003c/code\u003e) with a path traversing outside the intended extraction directory (e.g., \u003ccode\u003e../../public/shell.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious ZIP archive via the \u003ccode\u003ebackup_file\u003c/code\u003e parameter in a POST request.\u003c/li\u003e\n\u003cli\u003eThe server moves the uploaded ZIP file to \u003ccode\u003eWRITEPATH . 'uploads/'\u003c/code\u003e without sanitizing or validating the ZIP entry names.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eZipArchive::extractTo()\u003c/code\u003e function is called on the uploaded ZIP, extracting the malicious file to the specified path \u003ccode\u003e../../public/shell.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe PHP file is written to the web root, allowing for remote code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the injected PHP code by sending a request to \u003ccode\u003e/shell.php?c=id\u003c/code\u003e, executing arbitrary commands on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains complete control over the compromised server, including access to sensitive data and the ability to further compromise the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to achieve remote code execution (RCE) on the CI4MS server. This can lead to full compromise of the installation, including the database credentials stored in \u003ccode\u003e.env\u003c/code\u003e and any other sensitive data handled by the site. Because the affected route is in the \u003ccode\u003ecsrfExcept\u003c/code\u003e list, this vulnerability can be triggered cross-site against a logged-in administrator, potentially leading to drive-by RCE against site operators. The vulnerability affects versions of \u003ccode\u003ecomposer/ci4-cms-erp/ci4ms\u003c/code\u003e prior to \u003ccode\u003e0.31.5.0\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003ecomposer/ci4-cms-erp/ci4ms\u003c/code\u003e to version 0.31.5.0 or later to patch the vulnerability as described in GHSA-xp9f-pvvc-57p4.\u003c/li\u003e\n\u003cli\u003eImplement server-side validation of uploaded ZIP archive entry names to prevent path traversal vulnerabilities. Specifically, validate the file paths extracted from the ZIP archive before calling \u003ccode\u003eextractTo()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect CI4MS Zip Slip via Web Request\u003c/code\u003e to identify potential exploitation attempts by monitoring HTTP requests to the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eEnable web server logging and monitor for suspicious file creations, especially in web-accessible directories, after ZIP archive uploads, based on the attack chain described above.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T17:28:39Z","date_published":"2026-04-22T17:28:39Z","id":"/briefs/2024-01-09-ci4ms-zip-slip/","summary":"The CI4MS Backup restore function is vulnerable to Zip Slip, allowing remote code execution by uploading a malicious ZIP archive that writes PHP files to the public web root due to missing validation of entry names during extraction, affecting versions prior to 0.31.5.0.","title":"CI4MS Backup Restore Zip Slip Vulnerability Leads to RCE","url":"https://feed.craftedsignal.io/briefs/2024-01-09-ci4ms-zip-slip/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["zip-slip","path-traversal","code-marketplace","persistence"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA Zip Slip vulnerability (CVE-2026-35454) exists in the Coder code-marketplace application, specifically in versions up to 2.4.1. The vulnerability stems from improper sanitization of zip entry names during VSIX file extraction, which allows an attacker to write files to arbitrary locations on the server. This flaw, discovered by Kandlaguduru Vamsi and detailed in GHSA-8x9r-hvwg-c55h, can be exploited by any authenticated user with upload privileges. Successful exploitation could lead to persistence via cron/init injection, SSH key injection, \u003ccode\u003eld.so.preload\u003c/code\u003e hijacking, or binary overwrite. The vulnerability was patched in version 2.4.2. Defenders should upgrade to the latest version of the code-marketplace application to prevent potential exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated user with upload privileges logs into the code-marketplace application.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious VSIX file containing zip entries with path traversal sequences (e.g., \u0026ldquo;../../../etc/cron.d/evil\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious VSIX file through the application\u0026rsquo;s extension upload functionality.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eExtractZip\u003c/code\u003e function processes the uploaded VSIX file without proper sanitization of zip entry names.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efilepath.Join\u003c/code\u003e function constructs the output path using the unsanitized zip entry name and a base directory.\u003c/li\u003e\n\u003cli\u003ePath traversal sequences like \u003ccode\u003e..\u003c/code\u003e are resolved by \u003ccode\u003efilepath.Clean\u003c/code\u003e, but the resulting path is not checked against the intended base directory, allowing it to escape.\u003c/li\u003e\n\u003cli\u003eThe application writes the extracted file to an attacker-controlled location on the server\u0026rsquo;s file system.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence, privilege escalation, or arbitrary code execution by overwriting critical system files or injecting malicious code into system configurations like cron jobs or SSH authorized keys.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this Zip Slip vulnerability allows attackers to write arbitrary files to the underlying system. An attacker can achieve persistence by injecting malicious cron jobs or modifying system initialization scripts. Privilege escalation is possible via SSH key injection or by overwriting binaries with malicious versions. The impact ranges from system compromise to data exfiltration and denial of service. While the number of victims is unknown, any organization using vulnerable versions of the Coder code-marketplace application is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the coder/code-marketplace application to version 2.4.2 or later to remediate CVE-2026-35454.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring on critical system directories (e.g., /etc/cron.d, /root/.ssh) using a file_event log source to detect unauthorized file modifications.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious File Creation in Sensitive Directories\u0026rdquo; to detect potential exploitation attempts based on file creation events.\u003c/li\u003e\n\u003cli\u003eEnable webserver logging and deploy the provided Sigma rule \u0026ldquo;Detect VSIX Uploads with Path Traversal\u0026rdquo; to identify suspicious VSIX uploads containing path traversal sequences based on request parameters.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-04T06:29:50Z","date_published":"2026-04-04T06:29:50Z","id":"/briefs/2026-06-code-marketplace-zip-slip/","summary":"A Zip Slip vulnerability in coder/code-marketplace allows authenticated users to upload malicious VSIX files containing path traversal entries, leading to arbitrary file writes outside the extension directory and potentially enabling persistence.","title":"Coder Code-Marketplace Zip Slip Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-06-code-marketplace-zip-slip/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2024-57728"}],"_cs_exploited":false,"_cs_products":["SimpleHelp"],"_cs_severities":["critical"],"_cs_tags":["cve-2024-57728","path-traversal","zip-slip"],"_cs_type":"advisory","_cs_vendors":["SimpleHelp"],"content_html":"\u003cp\u003eA path traversal vulnerability exists within SimpleHelp, identified as CVE-2024-57728. This flaw enables authenticated administrators to upload arbitrary files to any location on the server\u0026rsquo;s file system. This is achieved through the use of a specially crafted ZIP archive (a technique known as Zip Slip). Successful exploitation allows an attacker to execute arbitrary code within the security context of the SimpleHelp server user. The vulnerability impacts SimpleHelp versions 5.5.7 and earlier. Defenders should apply vendor-provided mitigations or discontinue use of the software.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains administrative access to the SimpleHelp console, either through compromised credentials or exploiting a separate authentication bypass.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious ZIP archive containing a file with a path traversal sequence (e.g., \u0026ldquo;../../ malicious.exe\u0026rdquo;) in its filename.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the crafted ZIP archive to the SimpleHelp server through a file upload functionality available to administrators.\u003c/li\u003e\n\u003cli\u003eThe SimpleHelp server extracts the contents of the ZIP archive without proper validation of the file paths.\u003c/li\u003e\n\u003cli\u003eThe file with the path traversal sequence is extracted to an arbitrary location on the file system outside of the intended upload directory.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a method to execute the uploaded malicious executable. This could involve overwriting an existing system utility or service executable.\u003c/li\u003e\n\u003cli\u003eThe malicious executable runs with the privileges of the SimpleHelp server user.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the host, potentially leading to complete system compromise, data exfiltration, or deployment of ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2024-57728 allows an attacker to execute arbitrary code on the SimpleHelp server with the privileges of the SimpleHelp service account. This can result in a full compromise of the SimpleHelp server, potentially leading to data theft, service disruption, or further lateral movement within the network. The vulnerability affects SimpleHelp installations, and the impact is high due to the potential for complete system takeover.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the mitigations provided by SimpleHelp to patch the vulnerability. Refer to the vendor advisory for instructions: \u003ca href=\"https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier\"\u003ehttps://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eMonitor SimpleHelp server file uploads for ZIP archives containing path traversal sequences (e.g., \u0026ldquo;../\u0026rdquo;) in filenames using a file integrity monitoring system (FIM) or endpoint detection and response (EDR) solution. Deploy the \u0026ldquo;Detect SimpleHelp Path Traversal ZIP Upload\u0026rdquo; Sigma rule to identify suspicious ZIP files.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and regularly audit administrative access to the SimpleHelp console to prevent unauthorized users from exploiting the vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-06-25T10:00:00Z","date_published":"2024-06-25T10:00:00Z","id":"/briefs/2024-06-simplehelp-path-traversal/","summary":"CVE-2024-57728 is a path traversal vulnerability in SimpleHelp that allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file, potentially leading to arbitrary code execution.","title":"SimpleHelp Path Traversal Vulnerability (CVE-2024-57728)","url":"https://feed.craftedsignal.io/briefs/2024-06-simplehelp-path-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["ci4-cms-erp/ci4ms"],"_cs_severities":["critical"],"_cs_tags":["zip-slip","rce","codeigniter","vulnerability"],"_cs_type":"advisory","_cs_vendors":["composer"],"content_html":"\u003cp\u003eThe ci4ms application is vulnerable to a Zip Slip attack in its theme upload functionality. This vulnerability, present in versions prior to 0.31.5.0, allows an authenticated backend user with theme creation privileges to upload a specially crafted ZIP archive. Due to the lack of proper validation of entry names during extraction, the attacker can write files to arbitrary locations on the filesystem. This is achieved by including malicious path traversal sequences (e.g., \u003ccode\u003e../../\u003c/code\u003e) in the ZIP archive\u0026rsquo;s entry names. The vulnerability allows an attacker to place a PHP webshell in the public web root, enabling remote code execution on the server. This issue poses a significant risk to organizations using ci4ms, as it allows attackers to fully compromise the installation and access sensitive data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the ci4ms backend with an account possessing the theme \u003ccode\u003ecreate\u003c/code\u003e role.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious ZIP archive containing a PHP webshell (e.g., \u003ccode\u003eshell.php\u003c/code\u003e) and an \u003ccode\u003einfo.xml\u003c/code\u003e file for theme validation. The webshell is placed with a path traversal sequence, such as \u003ccode\u003e../../public/shell.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the theme upload functionality within the ci4ms backend, accessible via the \u003ccode\u003ebackend/themes/themesUpload\u003c/code\u003e route.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious ZIP archive through the web interface, triggering the \u003ccode\u003eTheme::upload\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eZipArchive::extractTo()\u003c/code\u003e function extracts the contents of the ZIP archive to a temporary directory (\u003ccode\u003eWRITEPATH . 'tmp/' . str_replace('_theme.zip', '', $file-\u0026gt;getName()) . '/'\u003c/code\u003e) without validating entry names.\u003c/li\u003e\n\u003cli\u003eDue to the path traversal sequences in the ZIP archive, the PHP webshell is written to the web server\u0026rsquo;s document root (e.g., \u003ccode\u003e/var/www/html/public/shell.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the PHP webshell via a web browser or command-line tool like \u003ccode\u003ecurl\u003c/code\u003e, passing commands to be executed on the server (e.g., \u003ccode\u003ehttps://target.example.com/shell.php?c=id\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe webserver executes the attacker-supplied command, granting the attacker remote code execution on the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this Zip Slip vulnerability allows an attacker to gain remote code execution on the ci4ms server. This grants the attacker full control over the server, potentially leading to the exfiltration of sensitive data, including database credentials stored in the \u003ccode\u003e.env\u003c/code\u003e file. The attacker can also modify or delete website content, install malware, or use the compromised server as a launching point for further attacks. This vulnerability affects versions of ci4ms prior to 0.31.5.0, and impacts any installation where an attacker can obtain theme creation privileges.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade ci4ms to version 0.31.5.0 or later to patch CVE-2026-41203.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect CI4MS Webshell Upload via Theme Exploit\u003c/code\u003e to detect attempts to upload malicious themes containing webshells.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures to prevent path traversal attacks in file upload functionalities.\u003c/li\u003e\n\u003cli\u003eRestrict theme creation privileges to only trusted administrators and monitor theme creation activity for suspicious behavior.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-ci4ms-zip-slip/","summary":"A critical vulnerability exists in ci4ms Theme::upload, where improper validation of ZIP archive entry names allows authenticated users with theme creation permissions to write files to arbitrary locations, leading to remote code execution.","title":"CI4MS Theme Upload Zip Slip Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-02-ci4ms-zip-slip/"}],"language":"en","title":"CraftedSignal Threat Feed — Zip-Slip","version":"https://jsonfeed.org/version/1.1"}