Hzmanyun Education and Training System Command Injection Vulnerability in UploadImageController

A critical remote code execution vulnerability has been identified in the Hzmanyun Education and Training System version 2.1.3. The issue arises in the UploadImageController.java file, specifically within the 'scorm' function. The vulnerability is caused by improper handling of the 'param' argument, which allows for command injection. This flaw can be exploited remotely, leading to unauthorized execution of commands on the server.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server, potentially leading to unauthorized access, data theft, or a complete system compromise.

Reproduction

To reproduce this vulnerability, send a POST request to the '/scorm' endpoint with the 'param' parameter manipulated to include a command injection payload, such as a command to ping an external server. The request must also include a file upload, which can be a text file or any other type that is not blocked by the application. Once the request is processed, the injected command will be executed on the server.