J0hNs0N

Unauthorized API: @ GetMapping ("/picturesPreview") does not conduct XSS (Cross Site Scripting) defense on the parameter currentUrl, resulting in a cross site scripting attack vulnerability *cn.keking.web.controller.OnlinePreviewController#picturesPreview*  *src/main/resources/web/picture.ftl*  Attack...

This is the Chinese report, the English report is in（这是中文的漏洞报告，英文的在）: [Arbitrary file upload vulnerability](https://github.com/anji-plus/report/issues/10) ### 描述 ***@PostMapping /reportDashboard/import/{reportCode}*** 导入大屏的接口中，接受文件上传，未对文件后缀进行限制，未对文件名进行检测过滤消毒的操作，导致任意文件删除漏洞 ### 漏洞详细 该接口接收文件上传，交给 ***reportDashboardService.importDashboard()*** 进行处理 *com.anjiplus.template.gaea.business.modules.dashboard.controller.ReportDashboardController#importDashboard*  跟进 ***reportDashboardService.importDashboard()***，在该方法中调用了 ***FileUtil.decompress(file, path);***...

这是英文的漏洞报告，中文的在(This is the English report, the Chinese report is in): [任意文件上传漏洞](https://gitee.com/anji-plus/report/issues/I5XU86) ### Description ***@PostMapping /reportDashboard/import/{reportCode}*** In the interface of importing the big screen, it accepts file uploads, does not limit...