Feb 20, 2022
An issue was discovered in Dynamicweb before 9.12.8. An attacker can add a new administrator user without authentication. This flaw exists due to a logic issue when determining if the setup phases of the product can be run again.
Once an attacker is authenticated as the new admin user they have added, it is possible to upload a web shell and achieve command execution.
Dynamicweb offers a cloud based eCommerce suite. Dynamicweb enables customers to deliver better digital customer experiences and to scale ecommerce success through our Content Management, Digital Marketing, Ecommerce, and Product Information Management solutions.
Hotfixed versions that contain a fix can be found below:
The blog post detailing the steps taken for the discovery of this vulnerability can be found here.
Assetnote Security Research Team
The timeline for this disclosure process can be found below: