GHSA-mxx7-67f4-p53j
GitHub Security Advisory
⚠ Unreviewed
CRITICAL
Has CVE
Advisory Details
An arbitrary file upload vulnerability exists in the Zhiyuan OA platform 5.0, 5.1 - 5.6sp1, 6.0 - 6.1sp2, 7.0, 7.0sp1 - 7.1, 7.1sp1, and 8.0 - 8.0sp2 via the wpsAssistServlet interface. The realFileType and fileId parameters are improperly validated during multipart file uploads, allowing unauthenticated attackers to upload crafted JSP files outside of intended directories using path traversal. Successful exploitation enables remote code execution as the uploaded file can be accessed and executed through the web server.
Related CVEs
Key Information
9.0
/10
Dataset
Last updated: September 11, 2025 6:35 AM
Data from GitHub Advisory Database. This information is provided for research and educational purposes.