[net.mingsoft:ms-mcms] Mingsoft MCMS vulnerable to Remote Code Execution via file upload.

Mingsoft MCMS is a Java CMS. Versions prior to and including 5.2.5 contain a file upload vulnerability allowing for a jspx webshell to be uploaded via net.mingsoft.basic.action.web.FileAction#upload, resulting in remote code execution. It is unclear if this issue has been patched.

References

• https://nvd.nist.gov/vuln/detail/CVE-2021-46386
• https://gitee.com/mingSoft/MCMS/issues/I4R0GW
• https://github.com/ming-soft/MCMS
• https://github.com/advisories/GHSA-cwx9-rp4w-4545