PT-2025-2066 · Unknown · Donglight Bookstore电商书城系统说明
Lvzc1
·
Published
2025-01-09
·
Updated
2025-01-09
·
CVE-2024-13210
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
donglight bookstore电商书城系统说明 version 1.0
Description
A critical issue has been found in the
uploadPicture function of the AdminBookController class, located in the file src/main/java/org/zdd/bookstore/web/controller/admin/AdminBookController.java. The manipulation of the pictureFile argument leads to unrestricted upload. This issue can be exploited remotely. The exploit has been publicly disclosed and may be used.Recommendations
For version 1.0, as a temporary workaround, consider disabling the
uploadPicture function until a patch is available. Restrict access to the pictureFile argument in the uploadPicture function to minimize the risk of exploitation.Exploit
Fix
Improper Access Control
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Donglight Bookstore电商书城系统说明