CVE-2023-34660: 
Java vulnerability analysis and mitigation

jjeecg-boot version 3.5.0 contains an unauthorized arbitrary file upload vulnerability in the /jeecg-boot/jmreport/upload interface. The vulnerability was discovered and disclosed on May 28, 2023, and affects versions 3.5.0 and 3.5.1 (GitHub Issue).

The vulnerability exists in the org.jeecg.modules.jmreport.desreport.a package's a.java controller. When a POST request is made to /jeecg-boot/jmreport/upload, the application only filters '../' patterns but fails to properly validate file types. This insufficient validation allows attackers to upload arbitrary file types, including malicious files. The CVSS v3.1 base score is 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N (NVD).

The vulnerability allows attackers to upload arbitrary files, including HTML files that can lead to stored Cross-Site Scripting (XSS) attacks. Additionally, attackers can upload shell scripts, potentially leading to remote code execution on the affected server (GitHub Issue).

Users should upgrade to a version newer than 3.5.1. The vulnerability has been classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) (NVD).