漏洞描述
泛微云桥存在任意文件上传漏洞,ResumeController 模块未对上传文件类型进行严格校验。未授权的攻击者可以通过构造特定的 multipart 请求,上传任意文件,从而绕过文件类型限制。利用 /wxclient/app/recruit/resume/addResume 接口,攻击者能够上传并执行恶意文件,最终实现远程命令执行。
泛微云桥 e-Bridge resume 任意文件上传漏洞
PoC代码
暂无相关漏洞推荐
- ecology-ebridge-addtaste-sqli: 泛微云桥 taste/addTaste SQL注入
- POC CVE-2020-11853: Micro Focus Operations Bridge Manager <=2020.05 - Remote Code Execution
- POC CVE-2021-22502: Micro Focus Operations Bridge Reporter - Remote Code Execution
- POC CVE-2021-25112: WordPress WHMCS Bridge <6.4b - Cross-Site Scripting
- POC CVE-2025-4008: MeteoBridge <= 6.1 - Remote Code Execution
- POC CVE-2025-4008: MeteoBridge <= 6.1 - Remote Code Execution
- POC e-bridge-saveyzjfile-file-read: 泛微OA E-Bridge saveYZJFile 任意文件读取
- POC weaver-ebridge-addTasteJsonp-sqli: Weaver e-Bridge addTasteJsonp SQL Injection
- POC weaver-ebridge-checkmobile-sqli: Weaver E-Bridge CheckMobile SQL Injection
- POC commax-credentials-disclosure: COMMAX Smart Home Ruvie CCTV Bridge DVR - RTSP Credentials Disclosure
- POC exposed-adb: Exposed Android Debug Bridge
- 泛微云桥 e-Bridge checkMobile接口存在SQL注入漏洞
- Smartbedded MeteoBridge 存在远程命令执行漏洞(CVE-2025-4008)