Enviar #601912: Kingdee Cloud-Starry-Sky Enterprise Edition V8.2 Remote Arbitrary Code Execution Vulnerability ( RCE )información

TítuloKingdee Cloud-Starry-Sky Enterprise Edition V8.2 Remote Arbitrary Code Execution Vulnerability ( RCE )
Descripción1.Vulnerability Name Remote Arbitrary Code Execution Vulnerability (RCE) of Kingdee Cloud-Starry-Sky Enterprise Edition 2.Vulnerability contributor and submitter: caichaoxiong 3.Manufacturer and product information: Manufacturer information: https://www.kingdee.com/products/galaxy.html 4.Vulnerability Level Critical. 5.Vulnerability Description ScriptEngine is part of the Java platform of Kingdee Cloud Star application software, located in the javax.script package, and can provide a standard way to execute scripting languages, including JavaScript, Python, Groovy, etc. When processing user input, the ScriptEngine of Kingdee Cloud Star BBC Mall (Tomcat-BBCMallSite) has a security defect. Attackers can inject malicious code without authentication and execute arbitrary code on the server side , resulting in a remote arbitrary code execution vulnerability (RCE). It can obtain sensitive data information of the Kingdee Cloud Star server , control the application system , penetrate the intranet, etc., which is serious. 6.Repair Plan Avoid using the JS engine of the backend service to directly execute arbitrary data input by the user . Any data input or passed in by the user is considered untrustworthy and needs to be filtered and encoded.
Fuente⚠️ https://wx.mail.qq.com/s?k=nHPdhBg6RWIQsQ6rEP
Usuario
 caichaoxiong (UID 84060)
Sumisión2025-06-21 07:04 (hace 10 meses)
Moderación2025-09-28 11:49 (3 months later)
EstadoDuplicado
Entrada de VulDB318642 [Kingdee Cloud-Starry-Sky Enterprise Edition hasta 8.2 IIS-K3CloudMiniApp FileUploadAction.class filePath recorrido de directorios]
Puntos0

AnteriorVisión De ConjuntoPróximo

Want to stay up to date on a daily basis?

Enable the mail alert feature now!