JVN#58774946: FileZen vulnerable to OS command injection

FileZen provided by Soliton Systems K.K. is an appliance for secure file transfer and sharing by mail or an web interface.
FileZen contains an OS command injection vulnerability (CWE-78).

Impact

A remote attacker who obtained the administrative account of this product may execute an arbitrary OS command.

Solution

Update the Firmware
Update the firmware to the latest version according to the information provided by the developer.
This vulnerability has been already addressed in the following firmware versions.

• FileZen V4.2.8
• FileZen V5.0.3

Apply workarounds
Applying workarounds may mitigate the impacts of this vulnerability.
The developer recommends applying following mitigations to this product.

• Disabe the initial administrator account “admin”
• Change the System Administrator account’s ID and Password
• Set the System Administrator account to prevent log on from the internet

For more information, refer to the information provided by the developer (in Japanese).

Products Affected

• FileZen versions from V3.0.0 to V4.2.7
• FileZen versions from V5.0.0 to V5.0.2