CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

CVE-2023-6905

CVE-2023-6903

CVE-2023-6904

CVE-2023-3907

MCMS v5.2.5 was discovered to contain an arbitrary file deletion vulnerability via the component oldFileName.

**SSTI**  
FreeMarker template is used in the project，and there is no secure configuration  
Insert the payload in the background - > system settings - > template management  
<#assign value="freemarker.template.utility.Execute"?new()>${value("whoami")}  
![image](https://user-images.githubusercontent.com/96775289/147651642-f3b51edc-0278-4c75-aec0-79d835c8e335.png)

![image](https://user-images.githubusercontent.com/96775289/147569534-03ac936e-b3c6-413e-8edc-a1c7f8fb4679.png)  
net/mingsoft/basic/action/TemplateAction.java There's a suffix check, it's written to the file  
![image](https://user-images.githubusercontent.com/96775289/147571546-666729e2-5ebf-4276-b6c3-1c652f52aee8.png)

net/mingsoft/basic/util/BasicUtil.java GetRealTemplatePath of this class is called  
![image](https://user-images.githubusercontent.com/96775289/147571639-e379e0c0-631b-46cc-9027-c00352201794.png)

coverage /target/classes/WEB-INF/manager/main.ftl ，Refresh the home page  
![image](https://user-images.githubusercontent.com/96775289/147571700-d5500df5-b65e-4cc3-8fbf-619741c31976.png)

**Delete any file**  
If the oldFileName argument exists, the corresponding file is deleted  
![image](https://user-images.githubusercontent.com/96775289/147571865-882c5e2b-bc07-411d-8cdc-0032b6704663.png)  
Call the FileUtil.class  
![image](https://user-images.githubusercontent.com/96775289/147572105-52e5ff2f-9dda-4063-b567-d091b2be2e55.png)  
poc：  
fileName=x&oldFileName=file destination

Headline

CVE-2021-46062: SSTI、Delete any file · Issue #59 · ming-soft/MCMS

CVE: Latest News