Sandro Zaccarini

**Name of the Vulnerable Software and Affected Versions** HiveManager Classic versions through 8.1r1 **Description** The issue allows arbitrary JSP code execution by modifying a backup archive before a restore. This is possible because the restore feature does not validate pathnames within the archive. An authenticated, local attacker, even one restricted as a tenant, can exploit this by adding a JSP file at HiveManager/tomcat/webapps/hm/domains/$yourtenant/maps, which will then be exposed at the web interface. **Recommendations** For versions through 8.1r1, consider restricting access to the restore feature and validating pathnames within backup archives to prevent arbitrary JSP code execution. As a temporary workaround, consider disabling the restore feature until a proper validation mechanism is implemented.