CVE-2024-57761

CVE-2024-57761, published on 2025-01-15, is an arbitrary file upload vulnerability in the parserXML() method of JeeWMS versions before v2025.01.01. This issue, linked to CWE-434 (Unrestricted Upload of File with Dangerous Type), enables attackers to upload crafted files that result in arbitrary code execution. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to its network accessibility, low attack complexity, and significant impacts on confidentiality and integrity.

Exploitation requires low privileges (PR:L), making it feasible for authenticated users such as low-level account holders. Attackers can leverage the flaw remotely without user interaction by submitting a malicious file to the parserXML() method, achieving arbitrary code execution on the server. This grants high-level access to sensitive data and system modification capabilities, though it does not affect availability.

The advisory at https://gitee.com/erzhongxmu/JEEWMS/issues/IBFTZ7 details the issue, with mitigation achieved by upgrading to JeeWMS v2025.01.01 or later, which addresses the vulnerable parserXML() method.