Potential Threat of RCE in FileCloud in Admin Portal

Security Advisory Date	May 12, 2021
Vulnerability Type	Insecure Deserialization
Severity factors	Low, to take advantage of this vulnerability, admins must have access to the admin portal, must have access to manipulate and setup system paths and must know the physical location of the file path and upload to a path that allows execution
Versions affected	All versions of FileCloud prior to 21.1.0.15081, on-premises installations only.
Version fixed	FileCloud Version 21.1.0.15081

Description

This vulnerability allowed an admin with full system privileges including file system storage paths to upload phar files to FileCloud and potentially change the php wrapper of a php function to execute remote PHP code.
The latest version of FileCloud fixes this by disallowing phar files to be uploaded to the server.

Fix

This has been fixed in FileCloud version 21.1.0.15081, which prevents phar files from being uploaded into FileCloud.

What you should do

If you are using a FileCloud on-premises installation, please update it to the latest version, which is 21.1.0.15081 or greater.
If you are using FileCloud online, you are not affected.

If you have any questions about this advisory, please contact FileCloud support.