CVE-2021-46036

Vulnerability

MCMS v5.2.4 suffers from an arbitrary file upload vulnerability in the /ms/file/uploadTemplate.do endpoint (also accessible via /file/upload) [1]. The application fails to properly validate uploaded file types, only filtering .jsp but not .jspx extensions, allowing attackers to upload malicious JSPX files [1]. This affects the default configuration.

Exploitation

An unauthenticated attacker can send a POST request to /file/upload.do with a multipart form-data containing a .jspx file (e.g., a webshell) [1]. No authentication is required for this endpoint, as demonstrated in the reference [1]. The attacker can then access the uploaded file to execute arbitrary commands.

Impact

Successful exploitation allows remote code execution on the server with the privileges of the web application [1]. An attacker can upload a webshell and gain full control over the MCMS instance, potentially leading to data theft, further compromise, or lateral movement.

Mitigation

As of the publication date (2022-02-18), no official patch has been released for MCMS v5.2.4 [1][2]. Users should restrict access to the vulnerable endpoints via web server configuration or firewall rules, and consider upgrading to a patched version if available. The vendor (ming-soft) may have addressed this in later releases; check the official repository for updates.