2026-01-30
Interinfo DreamMaker - Unrestricted Upload of File with Dangerous Type
| ZUSOART ID | ZA-2026-02 | ||||
|---|---|---|---|---|---|
| CVE ID | CVE-2026-24729 | ||||
| Vulnerability Type | CWE-434: Unrestricted Upload of File with Dangerous Type | ||||
| CVSS 4.0 Base | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H(10) | ||||
| Description | An unrestricted upload of file with dangerous type vulnerability in the file upload function of Interinfo DreamMaker versions before 2025/10/22 allows remote attackers to execute arbitrary system commands via a malicious class file. | ||||
| Vendor | Internet Information Co., Ltd | ||||
| Product |
|
||||
| Mitigations | 1.若 baServer3 servlet 提供的檔案上傳功能非日常營運所必須,建議立即將其停用。
(If the file upload functionality provided by the baServer3 servlet is not essential for daily operations, it is recommended to disable it immediately.) 2.部署 WAF 檢查請求內容 (Body),若偵測到 Java class 檔案標頭特徵(如 0xCAFEBABE),則予以阻擋。 (Deploy WAF rules to inspect request bodies and block any requests where Java class file headers (e.g., 0xCAFEBABE) are detected.) 3.若網站服務以 "nt authority\system" (最高權限) 身分執行,務必將執行該服務的帳號更改為低權限的一般服務帳號。 (If the service is running under the "nt authority\system" identity (highest privilege), it is crucial to change the service account to a low-privileged standard user account.) |
||||
| Release date | 2026/01/30 | ||||
| Credit | Kuang Ming Chang of ZUSO ART |