CVE-2025-34336
MediumCVSS 6.9Exploitation Probability (EPSS)
Low risk40th percentile - higher than 40% of all known CVEs
Summary
eGovFrame Common Components up to version 4.3.1 has an unauthenticated file upload vulnerability via the /utl/wed/insertImage.do and /utl/wed/insertImageCk.do endpoints. An attacker can upload arbitrary content, and the server stores the file and returns a download URL, allowing the application to be used as a file hosting service.
Risk Assessment
The risk is the ability to host malicious content (e.g., scripts, malware) under the application's domain, which can lead to phishing attacks, malware distribution, or reputational damage.
Recommendation
Immediately update eGovFrame Common Components to version 4.3.2 or later if available, or apply temporary mitigations such as enforcing authentication on the image upload endpoints.
Original NVD description (English source)
eGovFramework/egovframe-common-components versions up to and including 4.3.1 contain an unauthenticated file upload vulnerability via the /utl/wed/insertImage.do and /utl/wed/insertImageCk.do image upload endpoints. These controllers accept multipart requests without authentication, pass the uploaded content to a shared upload helper, and store the file on the server under a framework-controlled path. The framework then returns a download URL that can be used to retrieve the uploaded content, including an attacker-controlled Content-Type within the limits of the image upload functionality. While a filename extension whitelist is enforced, the attacker fully controls the file contents. The response MIME type used is also attacker-controlled when the file is served up to version < 4.1.2. Since version 4.1.2, it is possible to download any image uploaded with any whitelisted content type. But any file uploaded other than an image will be served with the `application/octet-stream` content type (the content type is no longer controlled by the attacker since version 4.1.2). This enables an unauthenticated attacker to use any affected application as a persistent file hosting service for arbitrary content under the application's origin. KISA/KrCERT has identified this unpatched vulnerability as "KVE-2023-5280."

