Mobatime offers various time-related products, such as check-in solutions. In versions up to 06.7.2022, an arbitrary file upload allowed an authenticated user to possibly gain remote code execution. The application makes possible to upload documentary proofs, and does not properly validate uploaded files. The latter are stored in a folder that is a child of the webroot.
A link in the interface makes possible to get access to this file, and if the uploaded file can be interpreted by the server, the user can gain remote code (and possibly command) execution.
