litemall issues

Unrestricted Upload of File with Dangerous Type (CWE-434)

# Summary The endpoint /admin/storage/create allow attacker uploads arbitrary type of file without sanitizer, which leads to Stored XSS, even RCE. # Details - litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminStorageController.java ``` @RequiresPermissions("admin:storage:create") @RequiresPermissionsDesc(menu = {"系统管理",...

NinjaGPT

Arbitrary File Deletion Vulnerability in /admin/storage/delete

# Arbitrary File Deletion Vulnerability in `/admin/storage/delete` ### Summary An arbitrary file deletion vulnerability exists in the **Litemall** system at the `/admin/storage/delete` endpoint. Due to insufficient validation of user-provided input,...

ez-lbz

Captcha Brute-force Vulnerability in Litemall (≤ v1.8.0)

# Captcha Brute-force Vulnerability in Litemall (≤ v1.8.0) ### Summary A captcha brute-force vulnerability exists in **Litemall versions ≤ 1.8.0** due to the use of an insecure third-party component for...

ez-lbz

litemall
litemall copied to clipboard

Metadata

Unrestricted Upload of File with Dangerous Type (CWE-434)

Arbitrary File Deletion Vulnerability in /admin/storage/delete

Captcha Brute-force Vulnerability in Litemall (≤ v1.8.0)

← Metadata

Owner

Metadata

litemall litemall copied to clipboard

Metadata

Unrestricted Upload of File with Dangerous Type (CWE-434)

Arbitrary File Deletion Vulnerability in /admin/storage/delete

Captcha Brute-force Vulnerability in Litemall (≤ v1.8.0)

← Metadata

Owner

Metadata

litemall
litemall copied to clipboard