Path Traversal Arbitrary File Write in JeeSite v5.15.1 /a/file/upload

Successful exploitation allows an authenticated low-privilege attacker with upload capability to write arbitrary files with whitelisted extensions to arbitrary locations on the server filesystem. Depending on where files can be written and how those files are subsequently used by the application or host environment, this can lead to unauthorized modification of application data, placement of attacker-controlled files in sensitive paths, disclosure or compromise of sensitive information, and potentially further compromise of the affected system. The provided CVSS vector indicates high confidentiality and integrity impact with no direct availability impact.

If an official fix is not yet available, disable chunked upload functionality where feasible, or restrict access to the /a/file/upload endpoint to only strictly necessary trusted users. Remove unnecessary file upload permissions, monitor for traversal patterns in fileMd5 and related upload parameters, and enforce filesystem-level permissions so the application account cannot write to sensitive directories. Additional compensating controls include isolating the upload directory, validating canonicalized paths against an allowlisted base directory, and alerting on unexpected file creation in application and web-accessible paths.

Upgrade to a fixed JeeSite release if one is available from the vendor. The vulnerable /a/file/upload implementation should be corrected so that the fileMd5 parameter cannot influence filesystem paths outside an intended upload directory. Enforce canonical path validation, reject traversal sequences, generate server-side storage paths independent of user-controlled input, and ensure chunked upload assembly is constrained to a dedicated directory. Review and harden suffix allowlisting so it is not the primary control preventing dangerous writes.