| 标题 | CodeLibs Fess 15.5.1 Arbitrary File Write |
|---|
| 描述 | The update() method in AdminDesignAction writes user-supplied content directly to a JSP file on disk after passing it through decodeJsp(). The filter only escapes <% %> scriptlet tags and <%= %> expression tags — JSP EL expressions (${}) are not touched at all. An attacker with the admin-design role can inject JSP EL expressions into content. EL expressions are evaluated by the JSP/Servlet container at render time and can invoke arbitrary Java methods, achieving Remote Code Execution. |
|---|
| 来源 | ⚠️ https://bv3acdnplbr.feishu.cn/docx/Kk1tdEAfAoV6kZxVozUc8UA4nog?from=from_copylink |
|---|
| 用户 | R1ckyZ (UID 92331) |
|---|
| 提交 | 2026-04-14 10時51分 (2 月前) |
|---|
| 管理 | 2026-05-09 08時09分 (25 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 362419 [codelibs Fess 直到 15.5.1 JSP File AdminDesignAction.java update content 权限提升] |
|---|
| 积分 | 20 |
|---|