CVE-2022-31943

Vulnerability

Description

MCMS v5.2.8 contains an arbitrary file upload vulnerability in its file upload mechanism. The application only blocks file extensions such as .exe, .jsp, .jspx, and .sh, but permits the upload of .zip archives [1]. This oversight allows an attacker to upload a zip file containing a malicious JSP webshell.

Exploitation

An authenticated attacker with access to the article thumbnail upload feature can upload a crafted zip archive. By subsequently invoking the template action that parses zip files (TemplateAction.class), the system extracts the archive and deploys the embedded JSP file to the server [3]. No additional authentication is required beyond the initial upload privileges.

Impact

Successful exploitation enables the attacker to execute arbitrary code on the server via the uploaded JSP webshell. This can lead to full compromise of the MCMS application and the underlying server, including data theft, defacement, or further lateral movement.

Mitigation

As of the publication date, no official patch has been released. Users should restrict upload permissions to trusted administrators, implement strict file type validation on the server side, and consider disabling the zip parsing functionality if not required.