| Titolo | ChestnutCMS <=15.1 code execution |
|---|
| Descrizione | ChestnutCMS is an enterprise-level content management system with front and back end separation.Before version 5.1, the system supported online execution of Groovy scripts after login. Based on code analysis, it was determined that the dev-api/groovy/exec API endpoint accepts json format data as input. The json data is then passed to the BaseGroovyScript script = GroovyScriptFactory.getInstance().loadNewInstance(scriptBody.getScriptText() method for instantiation and execution via script.run(). However, the script content is not verified, and since this feature is exposed to the frontend, it poses a significant security risk.
@RestController
@RequiredArgsConstructor
@RequestMapping("/groovy")
public class GroovyController {
@Log (title = "Execute Groovy script", businessType = BusinessType.UPDATE)
@Priv(type = AdminUserType.TYPE, value = SysMenuPriv.GroovyExec)
@PostMapping("/exec")
public R<?> execGroovyScript(@RequestBody @Validated ScriptBody scriptBody) throws Exception {
StringWriter writer = new StringWriter();
PrintWriter printWriter = new PrintWriter(writer);
try {
BaseGroovyScript script = GroovyScriptFactory.getInstance().loadNewInstance(scriptBody.getScriptText());
script.setPrintWriter(printWriter);
script.run();
} catch (Exception e) {
e.printStackTrace(printWriter);
}
return R.ok(writer.toString());
}
@Getter
@Setter
static class ScriptBody {
@NotEmpty
private String scriptText;
}
} |
|---|
| Fonte | ⚠️ https://github.com/byxs0x0/cve/issues/7 |
|---|
| Utente | wanglun (UID 73616) |
|---|
| Sottomissione | 30/05/2025 04:15 (1 Anno fa) |
|---|
| Moderazione | 03/06/2025 18:44 (5 days later) |
|---|
| Stato | Accettato |
|---|
| Voce VulDB | 311002 [ChestnutCMS fino a 15.1 API Endpoint /dev-api/groovy/exec escalationi di privilegi] |
|---|
| Punti | 20 |
|---|