| 标题 | https://github.com/h-moses/moga-mall moga-mall 1.0 Upload any file |
|---|
| 描述 | The PmsProductController.java interface of moga mall version 1.0 has an arbitrary file upload vulnerability, which allows attackers to exploit /,. The encoding method of./bypasses detection, causing directory traversal, and there is no restriction on file suffix types, resulting in arbitrary file uploads that may lead to getshell and more serious consequences.
This code only segments the target string using '/' and only verifies if the segmented segment is' Or To prevent the risk of path traversal, this protection mechanism has significant flaws. Attackers can bypass detection in various ways, triggering directory traversal vulnerabilities and ultimately leading to high-risk security consequences such as directory traversal and arbitrary file uploads |
|---|
| 来源 | ⚠️ https://github.com/zyhzheng500-maker/cve/blob/main/moga-mall%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0.md |
|---|
| 用户 | zyhsec (UID 93418) |
|---|
| 提交 | 2025-12-23 13時27分 (4 月前) |
|---|
| 管理 | 2025-12-27 14時59分 (4 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 338529 [h-moses moga-mall 直到 392d631a5ef15962a9bddeeb9f1269b9085473fa PmsProductController.java addProduct objectName 权限提升] |
|---|
| 积分 | 20 |
|---|