CVE-2022-47042: 
Java vulnerability analysis and mitigation

MCMS v5.2.10 and below contains an arbitrary file write vulnerability via the component ms/template/writeFileContent.do. The vulnerability was discovered and reported on December 8, 2022, affecting multiple versions including 5.2.8, 5.2.9, and 5.2.10 (Gitee Issue).

The vulnerability exists in the template management functionality, specifically in the file editing feature. The system implements a blacklist for file extensions (exe, jsp, xml, sh, bat, py, ftl, jspx) but can be bypassed in Windows environments. The vulnerability received a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

When successfully exploited, this vulnerability allows an attacker to write arbitrary files to the system, potentially leading to remote code execution through the upload of malicious JSP files. The vulnerability is particularly impactful in Windows environments using Tomcat for WAR package deployment (Gitee Issue).

The vulnerability has been addressed in versions after 5.2.10. Users running affected versions should upgrade to a patched version of the software (NVD).