CVE-2023-25402

Vulnerability

CleverStupidDog yf-exam version 1.8.0 is vulnerable to an unrestricted file upload. The POST /common/api/file/upload endpoint in com.yf.exam.ability.upload.controller accepts file uploads and passes them to upload(). In the implementation class com.yf.exam.ability.upload.service.impl, the file is processed via processPath() and renameFile(), but only the file suffix is extracted without any filtering or validation. This allows any file type, including executable scripts, to be uploaded [1][2].

Exploitation

An attacker can send a crafted HTTP POST request to /common/api/file/upload with a malicious file (e.g., a .jsp or .php shell) in the request body. No authentication or special privileges are required. The server will save the file under the upload directory and return the accessible URL. The attacker can then directly access that URL to execute the uploaded file [1][2].

Impact

Successful exploitation allows an attacker to upload arbitrary files, including web shells, leading to remote code execution on the server. This can result in full compromise of the application, data exfiltration, and further internal network attacks [1][2].

Mitigation

As of the published date (2023-03-03), no patched version has been released. The vendor issue tracker [2] confirms the vulnerability. The only workaround is to implement input validation on the file upload endpoint, such as restricting allowed file extensions and scanning uploaded files. There is no indication that this CVE is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.