CVE-2024-43033

Name of the Vulnerable Software and Affected Versions JPress versions through 5.1.1

Description The issue is an arbitrary file upload vulnerability that could cause arbitrary code execution via ::$DATA to AttachmentController, such as a .jsp::$DATA file to io.jpress.web.commons.controller.AttachmentController#upload. This vulnerability allows for potential code execution on the server.

Recommendations For JPress versions through 5.1.1, consider disabling the upload function in AttachmentController until a patch is available to prevent arbitrary file uploads and potential code execution. Restrict access to the AttachmentController to minimize the risk of exploitation. Avoid using the ::$DATA technique in file uploads to the affected AttachmentController until the issue is resolved.