CVE-2023-34660

Vulnerability

Overview The vulnerability exists in the /jeecg-boot/jmreport/upload endpoint of JeecgBoot v3.5.0. The endpoint lacks authentication and fails to validate the uploaded file type, allowing arbitrary files to be uploaded. Source code analysis shows that only a basic ../ path traversal filter is applied, but no check on file extension or content is performed [3].

Exploitation

Method An unauthenticated attacker can send a POST request to /jeecg-boot/jmreport/upload with a crafted file (e.g., an HTML file containing JavaScript or a shell script). The file is stored on the server, and its path is returned. The attacker can then access the uploaded file to execute malicious scripts (stored XSS) or, if the server executes uploaded scripts, achieve remote code execution [2][3].

Impact

Successful exploitation can lead to stored cross-site scripting (XSS) when the uploaded HTML is viewed by other users. Additionally, uploading executable files (e.g., .sh scripts) may enable arbitrary code execution on the server, depending on server configuration and file execution permissions [3].

Mitigation

Status As of the issue report, versions 3.5.0 and 3.5.1 are confirmed vulnerable; other versions have not been verified. Users should upgrade to a patched version (if available) or implement access controls and file type validation on the upload endpoint. The official repository does not provide an explicit fix advisory, but the issue has been reported (CVE-2023-34660) [2].