| 标题 | JPress 5.0 Unrestricted Upload |
|---|
| 描述 | JPress 5.0 contains a public form upload validation bypass in the module-form frontend form submission flow. The public form controller accepts multipart uploads for published forms and moves uploaded files into the attachment storage path while preserving the original file extension. Unlike other JPress upload controllers, this code path does not call AttachmentUtils.isUnSafe() before AttachmentUtils.moveFile().
As a result, a remote unauthenticated attacker who can submit a published form with an upload-capable field and pass the configured CAPTCHA can upload files with dangerous extensions such as .jsp, .jspx, .php, .html, .svg, .js, .exe, .sh, .jar, or .war, even though these extensions are explicitly blocked by JPress in other upload flows.
The impact is deployment-dependent. In default webroot/Tomcat-style deployments where the attachment root falls back to the web application root and JSP/JSPX files under the attachment path may be executed by the servlet container, this issue may lead to remote code execution. In configurations where server-side execution is not possible, the vulnerability still allows bypassing the intended upload safety policy and storing active or dangerous content through public forms.
Affected component: module-form frontend form submission upload endpoint, mapped by JFinal convention to /form/postData/<uuid>.
Root cause: FormController.getFilePaths() calls AttachmentUtils.moveFile(uploadFile) directly without first checking AttachmentUtils.isUnSafe(uploadFile.getFile()).
Vendor contact was attempted before this submission, but no response was received / the vendor could not be reached. The issue has not been assigned a CVE and has not been submitted to another CNA. |
|---|
| 来源 | ⚠️ https://github.com/JPressProjects/jpress |
|---|
| 用户 | feng123123 (UID 95215) |
|---|
| 提交 | 2026-04-25 09時26分 (1 月前) |
|---|
| 管理 | 2026-05-23 10時22分 (28 days later) |
|---|
| 状态 | 重复 |
|---|
| VulDB条目 | 191247 [jpress 4.2.0 权限提升] |
|---|
| 积分 | 0 |
|---|