CVE-2020-28088

Vulnerability

CVE-2020-28088 is an arbitrary file upload vulnerability in the /jeecg-boot/sys/common/upload endpoint of JeecgBoot CMS version 2.3. The vulnerable code resides in CommonController.java at line 76 in the jeecg-boot-base-common module [3]. No authentication is required to reach the upload functionality, and the file type validation is insufficient, allowing an attacker to upload arbitrary files, including executable scripts.

Exploitation

An unauthenticated attacker with network access to the JeecgBoot application can exploit this vulnerability by sending a crafted HTTP request to the /jeecg-boot/sys/common/upload endpoint. The attacker modifies the upload suffix and content via packet capture tools to bypass the weak file-type checks [3]. No special privileges or user interaction are required.

Impact

Successful exploitation allows the attacker to upload arbitrary files, including web shells, to the server. This leads to remote code execution (RCE) under the privileges of the web server user, resulting in full compromise of the application and potentially the underlying host system [1][2][3].

Mitigation

As of the available references, no official fix or patched version has been confirmed for JeecgBoot 2.3. Users are advised to restrict access to the /jeecg-boot/sys/common/upload endpoint via web server or firewall rules, implement strict file type and content validation, or upgrade to a newer version if a patch becomes available [1]. The CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.