| タイトル | https://gitee.com/opencc/JFlow JFlow latest version Remote Code Execution |
|---|
| 説明 | Jflow is a widely used open-source/commercial workflow management system. In the source code of its latest version, the Calculate() method (around lines 5775-5779) in the file src/main/java/bp/wf/httphandler/WF_CCForm.java contains a critical Remote Code Execution (RCE) vulnerability.
When processing dynamic calculation logic for form fields, this method fails to strictly filter or validate user-inputted formulas or parameters. Attackers can craft malicious HTTP requests to inject specific operating system command separators (such as |, &, ;, $(), etc.) into the calculation interface, causing the backend server to execute arbitrary system commands without authorization. Successful exploitation of this vulnerability allows attackers to obtain the highest server privileges (e.g., root/system), thereby enabling them to steal sensitive data, implant backdoors, tamper with business data, or cause service outages. |
|---|
| ソース | ⚠️ https://gitee.com/opencc/JFlow/issues/IE8R2F?from=project-issue |
|---|
| ユーザー | MaoQiu (UID 94327) |
|---|
| 送信 | 2026年02月27日 12:24 (1 月 ago) |
|---|
| モデレーション | 2026年03月08日 17:31 (9 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 349779 [opencc JFlow 迄 5badc00db382d7cb82dad231e6a866b18e0addfe WF_CCForm.java Calculate 特権昇格] |
|---|
| ポイント | 20 |
|---|