CVE-2021-46386 – net.mingsoft:ms-mcms

Package

Manager: maven
Name: net.mingsoft:ms-mcms
Vulnerable Version: >=0 <=5.2.5

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.06397 pctl0.90643

Details

Mingsoft MCMS vulnerable to Remote Code Execution via file upload. Mingsoft MCMS is a Java CMS. Versions prior to and including 5.2.5 contain a file upload vulnerability allowing for a jspx webshell to be uploaded via net.mingsoft.basic.action.web.FileAction#upload, resulting in remote code execution. It is unclear if this issue has been patched.

Metadata

Created: 2022-01-27T00:01:00Z
Modified: 2022-10-25T19:59:06Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-cwx9-rp4w-4545/GHSA-cwx9-rp4w-4545.json
CWE IDs: ["CWE-434"]
Alternative ID: GHSA-cwx9-rp4w-4545
Finding: F027
Auto approve: 1