CVE-2025-34336

Name of the Vulnerable Software and Affected Versions eGovFramework/egovframe-common-components versions up to and including 4.3.1

Description The software contains an unauthenticated file upload issue through the /utl/wed/insertImage.do and /utl/wed/insertImageCk.do API endpoints. These endpoints accept multipart requests without authentication and store uploaded files on the server. Prior to version 4.1.2, an attacker controls the response MIME type, enabling them to use the application as a file hosting service for arbitrary content. From version 4.1.2, non-image files are served with the application/octet-stream content type, preventing attacker control of the content type. The vulnerability allows an unauthenticated attacker to upload files and obtain a download URL. The filename extension is whitelisted, but the attacker controls the file contents.

Recommendations Versions prior to 4.1.2: Address the attacker-controlled MIME type issue to prevent serving arbitrary content. Versions up to and including 4.3.1: Implement authentication for the /utl/wed/insertImage.do and /utl/wed/insertImageCk.do endpoints.