jerryshensjf JPACookieShop Unrestricted File Upload Vulnerability

A critical vulnerability allowing arbitrary file uploads has been identified in jerryshensjf JPACookieShop version 1.0. The issue arises in the addGoods function within GoodsController.java, where image upload features lack proper validation and restrictions, enabling the upload of any file type. This vulnerability can be exploited remotely.

Impact

Exploitation of this vulnerability allows for unrestricted file uploads, which could lead to the upload of malicious files that are processed within the application's environment. Such actions could potentially be used to execute arbitrary code or disrupt application functionality.

Reproduction

To reproduce this vulnerability, log into the application as an admin. Navigate to the 'Add Product' feature in the backend management system. Upload an image file through the provided upload functionality. Due to the absence of proper validation, any file type can be uploaded, including potentially harmful files.