CVE-2019-7684

Name of the Vulnerable Software and Affected Versions inxedu through 2018-12-24

Description The issue allows an attacker to upload a malicious JSP file. This is achieved by exploiting the fileType parameter in the /video/uploadvideo API endpoint to modify the list of acceptable file extensions from jpg,gif,png,jpeg to jpg,gif,png,jsp,jpeg. The vulnerable code is located in the com.inxedu.os.common.controller.VideoUploadController class, specifically in the gok4 method.

Recommendations For inxedu through 2018-12-24, consider restricting access to the /video/uploadvideo API endpoint to prevent the upload of malicious JSP files until a fix is available. Additionally, as a temporary workaround, restrict the fileType parameter to only allow the original list of acceptable extensions: jpg,gif,png,jpeg.