PT-2026-55262 · Yonyou · Ksoa
Published
2026-07-02
·
Updated
2026-07-02
·
CVE-2022-50973
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Yonyou KSOA version 9.0
Description
An unauthenticated arbitrary file upload issue exists in the
com.sksoft.bill.ImageUpload servlet. Unauthenticated attackers can upload arbitrary files by submitting a POST request to the endpoint without authentication or validation of file type, extension, or content. By specifying a malicious filename and root filepath, an attacker can upload a JSP webshell to the pictures directory, which the web server then executes, leading to remote code execution. Exploitation evidence was first observed by the Shadowserver Foundation on 2023-11-07 (UTC).Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ksoa