| Titre | https://github.com/h-moses/moga-mall moga-mall 1.0 Upload any file |
|---|
| Description | The PmsProductController.java interface of moga mall version 1.0 has an arbitrary file upload vulnerability, which allows attackers to exploit /,. The encoding method of./bypasses detection, causing directory traversal, and there is no restriction on file suffix types, resulting in arbitrary file uploads that may lead to getshell and more serious consequences.
This code only segments the target string using '/' and only verifies if the segmented segment is' Or To prevent the risk of path traversal, this protection mechanism has significant flaws. Attackers can bypass detection in various ways, triggering directory traversal vulnerabilities and ultimately leading to high-risk security consequences such as directory traversal and arbitrary file uploads |
|---|
| La source | ⚠️ https://github.com/zyhzheng500-maker/cve/blob/main/moga-mall%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0.md |
|---|
| Utilisateur | zyhsec (UID 93418) |
|---|
| Soumission | 23/12/2025 13:27 (il y a 4 mois) |
|---|
| Modérer | 27/12/2025 14:59 (4 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 338529 [h-moses moga-mall PmsProductController.java addProduct objectName élévation de privilèges] |
|---|
| Points | 20 |
|---|