Miggo Logo
Miggo Vulnerability Database
CVE-2020-28088

CVE-2020-28088:
Jeecg-Boot CMS arbitrary file upload vulnerability

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-28088
GHSA ID
GHSA-jf7x-57g8-9hm5
EPSS Score
0.90134%
CWE
CWE-434
Published
5/24/2022
Updated
8/23/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jeecgframework.boot:jeecg-boot-parentmaven<= 2.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. The vulnerability is explicitly tied to the /jeecg-boot/sys/common/upload endpoint
  2. In Spring Boot applications, URL mappings typically correspond to controller methods
  3. The CWE-434 classification indicates improper file validation during upload operations
  4. Standard Java package conventions suggest the controller would be in org.jeecg.modules.system.controller
  5. The lack of patch information requires inference, but the endpoint specificity strongly indicates the associated controller method is vulnerable

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n *r*itr*ry *il* uplo** vuln*r**ility in `/j****-*oot/sys/*ommon/uplo**` o* j****-*oot *MS *.* *llows *tt**k*rs to *x**ut* *r*itr*ry *o**.

Reasoning

*. T** vuln*r**ility is *xpli*itly ti** to t** /j****-*oot/sys/*ommon/uplo** *n*point *. In Sprin* *oot *ppli**tions, URL m*ppin*s typi**lly *orr*spon* to *ontroll*r m*t*o*s *. T** *W*-*** *l*ssi*i**tion in*i**t*s improp*r *il* v*li**tion *urin* uplo