Impact
An unrestricted file upload flaw exists in HCL ZIE for Web that allows an attacker to place arbitrary files in the webroot. If the server is configured to execute uploaded code, the attacker can upload a file such as a web shell and run arbitrary commands. This vulnerability is linked to the weakness of inadequate input validation (CWE-209). The impact is that a successful upload can lead to execution of malicious code on the server, compromising confidentiality, integrity, and potentially availability of the affected system.
Affected Systems
All installations of HCL Software ZIE for Web are potentially affected, particularly those that permit uploaded files to be executed within the webroot. No specific version details are provided; the vulnerability applies to any affected deployment where code execution is enabled for uploaded content.
Risk and Exploitability
The CVSS score of 4.3 indicates a moderate risk level. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the file to be uploaded to a location that the web server treats as executable. If the server is not configured to execute uploaded code, the attack vector is ineffective. Therefore, the primary risk lies in environments where execution permissions are granted to upload directories. While the vulnerability does not guarantee immediate remote code execution without proper configuration, it is a valid concern for improperly secured installations.
OpenCVE Enrichment