Submit #239802: http://jimureport.com/ https://mvnrepository.com/artifact/org.jeecgframework.jimureport/jimureport-spring-boot-starter/1.6.1 jimureport <= 1.6.1 arbitrary file writeinfo

Titelhttp://jimureport.com/ https://mvnrepository.com/artifact/org.jeecgframework.jimureport/jimureport-spring-boot-starter/1.6.1 jimureport <= 1.6.1 arbitrary file write
BeschreibungJimureport has the function of remotely downloading files and writing them to the server, but the file name is not verified during the download and writing process, resulting in a special file name can be constructed to write arbitrary files, and an attacker can exploit this vulnerability to write SSH public key or write WAR packages to deploy Trojan files (when the application is deployed with Tomcat).
Quelle⚠️ https://github.com/N0b1e6/exp/blob/main/README.md
Benutzer
 N0b1e6 (UID 42939)
Einreichung17.11.2023 04:14 (vor 3 Jahren)
Moderieren26.11.2023 16:08 (9 days later)
StatusAkzeptiert
VulDB Eintrag246133 [jeecgboot JimuReport bis 1.6.1 /download/image imageUrl Directory Traversal]
Punkte19

ZurückÜbersichtWeiter

Want to stay up to date on a daily basis?

Enable the mail alert feature now!