CVE-2023-34660 : jjeecg-boot V3.5.0 has an unauthorized arbitrary file upload in /jeecg-boot/jmre

jjeecg-boot V3.5.0 has an unauthorized arbitrary file upload in /jeecg-boot/jmreport/upload interface.

Published 2023-06-16 18:15:09

Updated 2023-06-23 21:24:21

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2023-34660

Jeecg » Jeecg Boot » Version: 3.5.0
cpe:2.3:a:jeecg:jeecg_boot:3.5.0:*:*:*:*:*:*:*
Matching versions
Jeecg » Jeecg Boot » Version: 3.5.1
cpe:2.3:a:jeecg:jeecg_boot:3.5.1:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

0.07%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 33 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N	2.8	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: None

CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Assigned by: nvd@nist.gov (Primary)

https://github.com/jeecgboot/jeecg-boot/issues/4990

/jeecg-boot/jmreport/upload接口存在未授权任意文件上传 · Issue #4990 · jeecgboot/jeecg-boot · GitHub
Exploit

Jump to