CVE-2018-18830

An issue was discovered in com\mingsoft\basic\action\web\FileAction.java in MCMS 4.6.5. Since the upload interface does not verify the user login status, you can use this interface to upload files without setting a cookie. First, start an upload of JSP code with a .png filename, and then intercept the data packet. In the name parameter, change the suffix to jsp. In the response, the server returns the storage path of the file, which can be accessed to execute arbitrary JSP code.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://gitee.com/mingSoft/MCMS/issues/IO0IQ	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mingsoft:mcms:4.6.5:*:*:*:*:*:*:*

History

No history.

Information

Published : 2018-10-30 06:29

Updated : 2023-12-10 12:44

NVD link : CVE-2018-18830

Mitre link : CVE-2018-18830

CVE.ORG link : CVE-2018-18830

JSON object : View

Products Affected

mingsoft

mcms

CWE

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2018-18830", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2018-10-30T06:29:00.843", "references": [{"url": "https://gitee.com/mingSoft/MCMS/issues/IO0IQ", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in com\\mingsoft\\basic\\action\\web\\FileAction.java in MCMS 4.6.5. Since the upload interface does not verify the user login status, you can use this interface to upload files without setting a cookie. First, start an upload of JSP code with a .png filename, and then intercept the data packet. In the name parameter, change the suffix to jsp. In the response, the server returns the storage path of the file, which can be accessed to execute arbitrary JSP code."}, {"lang": "es", "value": "Se ha descubierto un problema en com\\mingsoft\\basic\\action\\web\\FileAction.java en MCMS 4.6.5. Ya que la interfaz de subida no verifica el estado de inicio de sesi\u00f3n del usuario, se puede emplear esta interfaz para subir archivos sin establecer una cookie. En primer lugar, se inicia la subida de c\u00f3digo JSP con un nombre de archivo .png y, despu\u00e9s, se intercepta el paquete de datos. En el par\u00e1metro name, se cambia el sufijo a jsp. En la respuesta, el servidor devuelve la ruta de almacenamiento del archivo, al que se puede acceder para ejecutar c\u00f3digo JSP arbitrario."}], "lastModified": "2018-12-11T18:22:27.423", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mingsoft:mcms:4.6.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E33409E8-42F6-49B0-899E-BBFE3CFF42F7"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}