A high-severity path traversal vulnerability in JeeSite allows authenticated attackers to perform unauthorized file writes, potentially leading to remote code execution.

The fileMd5 parameter in the /a/file/upload endpoint fails to properly sanitize path inputs. When chunked upload is enabled, an authenticated attacker can write files to arbitrary locations on the server.

This vulnerability carries a CVSS score of 9.6. While it requires authentication, the ability to write arbitrary files allows an attacker to upload malicious scripts (webshells) into executable directories, resulting in full server compromise, data exfiltration, or persistence within the environment.

Immediate Action: Upgrade to the latest version of JeeSite that addresses the path traversal flaw in the file upload module.

Proactive Monitoring: Audit the filesystem for unexpected files in upload directories and monitor logs for unusual file upload activity or traversal attempts.

Compensating Controls: Restrict file upload permissions to authorized users only and implement strict validation of file paths and extensions at the application layer.

Public Exploit Available: Unknown

Organizations should prioritize updating their JeeSite instances. Furthermore, review current user roles and permissions to ensure that the principle of least privilege is enforced regarding file upload capabilities.