漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Redsea Cloud eHR Unauthenticated File Upload RCE via PtFjk.mob
Vulnerability Description
Redsea Cloud eHR contains an arbitrary file upload vulnerability that allows unauthenticated attackers to achieve remote code execution by uploading malicious files through the PtFjk.mob servlet endpoint. Attackers can submit a multipart POST request with a JSP webshell disguised using a spoofed image/jpeg Content-Type to bypass the absence of extension and MIME type validation, with the uploaded file stored at a predictable path under the uploadfile directory and executed directly by the web server. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-11-03 (UTC).
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type
危险类型文件的不加限制上传
Vulnerability Title
Red Sea Cloud eHR 任意文件上传漏洞
Vulnerability Description
Red Sea Cloud Red Sea Cloud eHR是中国Red Sea Cloud公司的一款云端人力资源管理系统。 Red Sea Cloud eHR存在任意文件上传漏洞,该漏洞源于允许未经验证的攻击者通过PtFjk.mob servlet端点上传恶意文件,绕过扩展名和MIME类型验证,文件存储在可预测路径下并可被Web服务器直接执行,从而可能导致远程代码执行。
CVSS Information
N/A
Vulnerability Type
N/A