Platform
java
Component
ujcms
Fixed in
9.7.6
CVE-2025-2490 is an Unrestricted File Upload vulnerability affecting Dromara ujcms versions 9.7.5 through 9.7.5. This flaw allows attackers to upload arbitrary files, potentially leading to cross-site scripting (XSS) attacks. The vulnerability resides within the uploadZip/upload function of the File Upload component. A patch is available in version 9.7.6.
Successful exploitation of CVE-2025-2490 allows an attacker to upload malicious files to the Dromara ujcms server. These files, if crafted appropriately, can be leveraged to execute XSS attacks against users visiting the affected website. This could result in session hijacking, defacement of the website, or the theft of sensitive user data. The ability to upload arbitrary files significantly expands the attack surface, as attackers can potentially upload web shells or other malicious code to gain persistent access to the system.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. While the CVSS score is LOW (2.4), the potential for XSS attacks makes it a concern. No known active campaigns targeting this specific vulnerability have been reported as of the publication date. Public proof-of-concept exploits are likely to emerge given the public disclosure.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-2490 is to upgrade Dromara ujcms to version 9.7.6 or later, which contains the fix. If upgrading immediately is not possible, consider implementing strict file upload validation on the server-side to prevent the upload of potentially malicious files. This includes validating file extensions, file sizes, and content types. Web application firewalls (WAFs) can also be configured to block suspicious file upload attempts. After upgrading, confirm the vulnerability is resolved by attempting a file upload with a known malicious extension and verifying that it is rejected.
Update Dromara ujcms to a version later than 9.7.5 that fixes the Cross-Site Scripting (XSS) vulnerability in the file upload function. Consult the changelog or release notes to confirm that the vulnerability has been addressed. As a temporary measure, implement thorough user input validation and sanitization in the file upload function to mitigate the risk of XSS.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-2490 is a vulnerability in Dromara ujcms versions 9.7.5–9.7.5 that allows attackers to upload arbitrary files, potentially leading to cross-site scripting (XSS).
If you are using Dromara ujcms version 9.7.5, you are affected by this vulnerability. Upgrade to version 9.7.6 or later to mitigate the risk.
Upgrade Dromara ujcms to version 9.7.6 or later. Implement strict file upload validation as a temporary workaround if immediate upgrade is not possible.
While no active campaigns have been confirmed, the vulnerability has been publicly disclosed, increasing the likelihood of exploitation.
Refer to the Dromara ujcms official website or security advisories for the latest information and updates regarding CVE-2025-2490.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.