CVE-2020-22755

Vulnerability

Description

CVE-2020-22755 is a file upload vulnerability in MCMS 5.0, a Java-based content management system. The root cause lies in insufficient validation of filenames during thumbnail uploads in the article management feature. The system blocks executable extensions like .jsp and .exe, but fails to handle filenames ending with a trailing dot (e.g., malicious.jsp.). On Windows servers, the operating system automatically strips the trailing dot, resulting in a valid .jsp file being written to disk. [3]

Attack

Vector

An attacker must have access to the article management interface, which typically requires authenticated credentials. The attack exploits two weaknesses: first, a bypass of extension filtering by appending a dot after the prohibited extension (e.g., .jsp.); second, a directory traversal vulnerability that allows the attacker to modify the uploadPath parameter or include ../ sequences to place the uploaded file into an arbitrary directory, such as the web root. No special network position is required beyond being able to send crafted HTTP requests to the MCMS instance. [3]

Impact

Successful exploitation enables an attacker to upload arbitrary files, including web shells (.jsp files), to any location on the server. This leads to remote code execution under the context of the web application, giving the attacker full control over the CMS, its data, and potentially the host server. The vulnerability is distinct from CVE-2022-31943, as noted in the official description. [1][2]

Mitigation

As of the latest disclosure, MCMS 5.0 is affected. The vendor, MingSoft, maintains the project on GitHub, and users are advised to review the issue tracker for any available patches or workarounds. Because the attack relies on both extension bypass and directory traversal, input sanitization for filenames and path parameters should be implemented. No evidence of CVE-2020-22755 being listed in CISA KEV was found. [1][3]