CVE-2019-17490

Name of the Vulnerable Software and Affected Versions Jiangnan Online Judge (aka jnoj) version 0.8.0

Description The issue allows for arbitrary file upload. This can be achieved by uploading PHP code with a .php filename but setting the content type to image/png, and sending it to the "web/polygon/problem/tests" API endpoint.

Recommendations For Jiangnan Online Judge (aka jnoj) version 0.8.0, consider disabling the file upload functionality in the ProblemController until a patch is available. Restrict access to the "web/polygon/problem/tests" API endpoint to minimize the risk of exploitation. Avoid allowing uploads with mismatched file extensions and content types.