Submit #804293: CodeLibs Fess 15.5.1 Arbitrary File Writeinfo

TitleCodeLibs Fess 15.5.1 Arbitrary File Write
DescriptionThe update() method in AdminDesignAction writes user-supplied content directly to a JSP file on disk after passing it through decodeJsp(). The filter only escapes <% %> scriptlet tags and <%= %> expression tags — JSP EL expressions (${}) are not touched at all. An attacker with the admin-design role can inject JSP EL expressions into content. EL expressions are evaluated by the JSP/Servlet container at render time and can invoke arbitrary Java methods, achieving Remote Code Execution.
Source⚠️ https://bv3acdnplbr.feishu.cn/docx/Kk1tdEAfAoV6kZxVozUc8UA4nog?from=from_copylink
User
 R1ckyZ (UID 92331)
Submission04/14/2026 10:51 (3 months ago)
Moderation05/09/2026 08:09 (25 days later)
StatusAccepted
VulDB entry362419 [codelibs Fess up to 15.5.1 JSP File AdminDesignAction.java update content code injection]
Points20

Want to stay up to date on a daily basis?

Enable the mail alert feature now!