PT-2025-54229 · Unknown · Newbee-Mall-Plus
Zyhsec
·
Published
2025-12-30
·
Updated
2025-12-30
·
CVE-2025-15360
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
newbee-mall-plus version 2.0.0
Description
A flaw exists in newbee-mall-plus version 2.0.0 that allows for unrestricted file uploads. This issue is located within the
Upload function of the src/main/java/ltd/newbee/mall/controller/common/UploadController.java file, specifically affecting the Product Information Edit Page component. The vulnerability is triggered by manipulating the File argument, enabling remote attackers to upload files without restrictions. The details of this issue have been publicly disclosed. The vendor was informed of this disclosure but did not provide a response.Recommendations
Apply a fix to the
Upload function in src/main/java/ltd/newbee/mall/controller/common/UploadController.java to restrict file upload types and sizes.Exploit
Fix
Improper Access Control
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Newbee-Mall-Plus