| tiêu đề | FUJIAN APEX SOFTWARE CO., LTD. LiveBOS <2.1 Remote Code Execution |
|---|
| Mô tả | A critical vulnerability has been identified in the LiveBOS platform developed by FUJIAN APEX SOFTWARE CO., LTD.. The flaw exists within the /feed/UploadImage.do endpoint.
1. Authentication Bypass: An attacker can bypass the security filter by appending a semicolon and a static file extension (e.g., ;js.jsp) to the URL path.
2. Path Traversal & Arbitrary File Upload: The endpoint fails to properly sanitize the filename parameter in the multipart request, allowing the use of ../ sequences for directory traversal.
3. Remote Code Execution (RCE): An unauthenticated remote attacker can exploit this to upload a malicious JSP file into the webroot or other sensitive directories. By accessing the uploaded script, the attacker can execute arbitrary system commands (e.g., whoami) and gain full control over the target server. |
|---|
| Nguồn | ⚠️ https://my.feishu.cn/docx/TCyMdptvaoTQCvxkHLbceJZCnge?from=from_copylink |
|---|
| Người dùng | 0menc (UID 75423) |
|---|
| Đệ trình | 14/04/2026 05:38 (cách đây 2 các tháng) |
|---|
| Kiểm duyệt | 30/04/2026 18:31 (17 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 360333 [Fujian Apex LiveBOS đến 2.0 Endpoint /feed/UploadImage.do filename duyệt thư mục] |
|---|
| điểm | 20 |
|---|