Plattform
java
Komponente
ujcms
Behoben in
9.7.6
CVE-2025-2490 is an Unrestricted File Upload vulnerability affecting Dromara ujcms versions 9.7.5 through 9.7.5. This flaw allows attackers to upload arbitrary files, potentially leading to cross-site scripting (XSS) attacks. The vulnerability resides within the uploadZip/upload function of the File Upload component. A patch is available in version 9.7.6.
Successful exploitation of CVE-2025-2490 allows an attacker to upload malicious files to the Dromara ujcms server. These files, if crafted appropriately, can be leveraged to execute XSS attacks against users visiting the affected website. This could result in session hijacking, defacement of the website, or the theft of sensitive user data. The ability to upload arbitrary files significantly expands the attack surface, as attackers can potentially upload web shells or other malicious code to gain persistent access to the system.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. While the CVSS score is LOW (2.4), the potential for XSS attacks makes it a concern. No known active campaigns targeting this specific vulnerability have been reported as of the publication date. Public proof-of-concept exploits are likely to emerge given the public disclosure.
Websites and applications utilizing Dromara ujcms versions 9.7.5 through 9.7.5 are at risk. This includes organizations that rely on ujcms for content management and those with publicly accessible file upload functionalities. Shared hosting environments using ujcms are particularly vulnerable due to the potential for cross-tenant attacks.
• java / server:
find /var/log/ujcms -type f -name '*.log' | grep -i "uploadZip/upload"• generic web:
curl -I https://your-ujcms-site.com/upload.php?file=malicious.php | grep 'Content-Type:'disclosure
Exploit-Status
EPSS
0.06% (18% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-2490 is to upgrade Dromara ujcms to version 9.7.6 or later, which contains the fix. If upgrading immediately is not possible, consider implementing strict file upload validation on the server-side to prevent the upload of potentially malicious files. This includes validating file extensions, file sizes, and content types. Web application firewalls (WAFs) can also be configured to block suspicious file upload attempts. After upgrading, confirm the vulnerability is resolved by attempting a file upload with a known malicious extension and verifying that it is rejected.
Actualizar Dromara ujcms a una versión posterior a la 9.7.5 que corrija la vulnerabilidad de Cross-Site Scripting (XSS) en la función de carga de archivos. Consultar el registro de cambios o las notas de la versión para confirmar que la vulnerabilidad ha sido abordada. Como medida temporal, se puede implementar una validación y saneamiento exhaustivos de las entradas del usuario en la función de carga de archivos para mitigar el riesgo de XSS.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-2490 is a vulnerability in Dromara ujcms versions 9.7.5–9.7.5 that allows attackers to upload arbitrary files, potentially leading to cross-site scripting (XSS).
If you are using Dromara ujcms version 9.7.5, you are affected by this vulnerability. Upgrade to version 9.7.6 or later to mitigate the risk.
Upgrade Dromara ujcms to version 9.7.6 or later. Implement strict file upload validation as a temporary workaround if immediate upgrade is not possible.
While no active campaigns have been confirmed, the vulnerability has been publicly disclosed, increasing the likelihood of exploitation.
Refer to the Dromara ujcms official website or security advisories for the latest information and updates regarding CVE-2025-2490.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.