CVE-2021-46386
published 2022-01-26CVE-2021-46386: File upload vulnerability in mingSoft MCMS through 5.2.5, allows remote attackers to execute arbitrary code via a crafted jspx webshell to…
PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.11%
86.2th percentile
File upload vulnerability in mingSoft MCMS through 5.2.5, allows remote attackers to execute arbitrary code via a crafted jspx webshell to net.mingsoft.basic.action.web.FileAction#upload.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mingsoft | mcms | <= 5.2.5 | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Mingsoft MCMS vulnerable to Remote Code Execution via file upload.
ghsa·2022-01-27
CVE-2021-46386 [CRITICAL] CWE-434 Mingsoft MCMS vulnerable to Remote Code Execution via file upload.
Mingsoft MCMS vulnerable to Remote Code Execution via file upload.
Mingsoft MCMS is a Java CMS. Versions prior to and including 5.2.5 contain a file upload vulnerability allowing for a jspx webshell to be uploaded via net.mingsoft.basic.action.web.FileAction#upload, resulting in remote code execution. It is unclear if this issue has been patched.
OSV
Mingsoft MCMS vulnerable to Remote Code Execution via file upload.
osv·2022-01-27
CVE-2021-46386 [CRITICAL] Mingsoft MCMS vulnerable to Remote Code Execution via file upload.
Mingsoft MCMS vulnerable to Remote Code Execution via file upload.
Mingsoft MCMS is a Java CMS. Versions prior to and including 5.2.5 contain a file upload vulnerability allowing for a jspx webshell to be uploaded via net.mingsoft.basic.action.web.FileAction#upload, resulting in remote code execution. It is unclear if this issue has been patched.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-01-26
Published