CVE-2022-23315: 
Java vulnerability analysis and mitigation

MCMS v5.2.4 was discovered to contain an arbitrary file upload vulnerability via the component /ms/template/writeFileContent.do. The vulnerability was disclosed on January 20, 2022 and assigned CVE-2022-23315. The vulnerability affects the MCMS content management system version 5.2.4 (NVD, MITRE).

The vulnerability exists in the template editing functionality of MCMS v5.2.4. When a user clicks save, a request is sent to /ms/template/writeFileContent.do endpoint. The backend code directly retrieves the POST file content and filename without proper validation, then creates and writes the file. This allows directory traversal attacks using '../' sequences, enabling attackers to write files to arbitrary directories on the target system. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows attackers to write arbitrary files to any directory on the target system, potentially leading to remote code execution by uploading malicious files. This could result in complete system compromise with the privileges of the web application (Gitee Issue).

The vulnerability was addressed in subsequent versions after 5.2.4. Users should upgrade to the latest version of MCMS. Additionally, implementing proper input validation and file path sanitization can help prevent directory traversal attacks (NVD).