Submit #739805: https://github.com/jishenghua/jshERP jshERP v3.6 Path Traversalinfo

Titelhttps://github.com/jishenghua/jshERP jshERP v3.6 Path Traversal
BeschreibungBy accessing route "/jshERP-boot/plugin/uploadPluginConfigFile", send the request to handler "com.jsh.erp.controller.PluginController#uploadConfig". Then the user-passed MultipartFile object is passed to the function com.gitee.starblues.integration.operator.PluginOperator#uploadConfigFile. Finally reached the sink in the function "com.gitee.starblues.integration.operator.PluginOperator#uploadConfigFile" We can upload any file to the project directory, such as a webshell file.
Quelle⚠️ https://github.com/jishenghua/jshERP/issues/146
Benutzer
 mukyuuhate (UID 93052)
Einreichung15.01.2026 16:23 (vor 3 Monaten)
Moderieren28.01.2026 17:53 (13 days later)
StatusAkzeptiert
VulDB Eintrag343245 [jishenghua jshERP bis 3.6 PluginController uploadPluginConfigFile configFile Directory Traversal]
Punkte20

ZurückÜbersichtWeiter

Interested in the pricing of exploits?

See the underground prices here!