jshERP Vulnerability Report Discovery Date 2020-06-30 Vulnerability Details Issue: The endpoint contains a path traversal vulnerability. External Input Parameter: is used for path concatenation and file creation. Impact: Lack of validation on the parameter allows an attacker to craft malicious paths, leading to arbitrary file creation or overwrite in targeted directories. Affected Information Project Link: https://gitee.com/jamesnong/jshERP Affected Version: v5.0 Affected API: Code Location: Test Environment Setup 1. JDK 8 2. Maven Build 3. MySQL Database Setup 4. MySQL Database Initialization 5. Redis Startup Steps to Reproduce 1. Obtain Login Captcha - Execute the command to get the captcha image. - Convert the captcha into an image format and manually read its content. 2. Login to the System - Use the obtained captcha and default login credentials ( and ) to log in. 3. Generate File to Arbitrary Directory - Execute the command with a crafted parameter to create a file in an arbitrary directory. Code Analysis 1. At line 95 of , the external input parameter is received. 2. At line 102 of , the function is called, and is passed as a path. 3. At line 107 of , the parameter is derived from the previously passed-in parameter . Conclusion Creating files using the parameter without validation leads to a path traversal vulnerability. It is recommended to validate the legitimacy of this parameter.