जमा करें #689414: lsFusion 6.1 Arbitrary File Uploadजानकारी

शीर्षक	lsFusion 6.1 Arbitrary File Upload
विवरण	Accessing the /uploadFile API invokes the handleRequest method in UploadFileRequestHandler. This method accepts an unvalidated sid parameter, which is directly appended to FileUtils.APP_UPLOAD_FOLDER_PATH. Additionally, there are no restrictions on the uploaded filename. When combined with directory traversal, this allows an attacker to upload JSP files to a web-accessible directory, leading to client-side file upload–based remote code execution (RCE).
स्रोत	⚠️ https://github.com/lsfusion/platform/issues/1544
उपयोगकर्ता	R1ckyZ (UID 92331)
सबमिशन	05/11/2025 08:01 AM (6 महीनों पहले)
संयम	16/11/2025 12:00 PM (11 days later)
स्थिति	स्वीकृत
VulDB प्रविष्टि	332597 [lsfusion platform तक 6.1 UploadFileRequestHandler.java UploadFileRequestHandler sid निर्देशिका ट्रैवर्सल]
अंक	20

Might our Artificial Intelligence support you?

Check our Alexa App!