Description
A vulnerability was determined in Hanwang e-Face General Management Platform 6.3.5.4. This issue affects some unknown processing of the file /manage/resourceUpload/upload.do. Executing a manipulation of the argument File can lead to unrestricted upload. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.
Published: 2026-06-29
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Hanwang e‑Face General Management Platform 6.3.5.4 allows an attacker to upload any file to the /manage/resourceUpload/upload.do endpoint because the File argument is not properly validated. This is an instance of CWE‑434 (Unrestricted Upload of File with Dangerous Type) combined with CWE‑284 (Improper Access Control). By uploading executable or script files, a threat actor can achieve remote code execution, privilege escalation, or defacement of the web application. The vulnerability is exploitable from a remote location and an exploit has already been publicly disclosed.

Affected Systems

The vendor affected is Hanwang, specifically its e‑Face General Management Platform. The documented vulnerable version is 6.3.5.4. No other versions or product variants are listed as affected in the CNA data.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate but significant risk; the EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can reach the vulnerable endpoint over HTTP(S) and supply a crafted file without restrictions, suggesting a straightforward remote exploitation path. Given the public disclosure, the likelihood of exploitation is uncertain but non‑negligible.

Generated by OpenCVE AI on June 29, 2026 at 09:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑released patch for e‑Face General Management Platform v6.3.5.4 or upgrade to a newer version where file‑type validation and access control are correctly enforced.
  • Configure the web server to deny execution of files stored in the upload directory, for example by disabling script execution and validating MIME types and extensions before acceptance.
  • Restrict access to the /manage/resourceUpload/upload.do endpoint to authenticated users only, ensuring that only authorized personnel can upload files.

Generated by OpenCVE AI on June 29, 2026 at 09:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 29 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in Hanwang e-Face General Management Platform 6.3.5.4. This issue affects some unknown processing of the file /manage/resourceUpload/upload.do. Executing a manipulation of the argument File can lead to unrestricted upload. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.
Title Hanwang e-Face General Management Platform upload.do unrestricted upload
First Time appeared Hanwang
Hanwang e-face General Management Platform
Weaknesses CWE-284
CWE-434
CPEs cpe:2.3:a:hanwang:e-face_general_management_platform:*:*:*:*:*:*:*:*
Vendors & Products Hanwang
Hanwang e-face General Management Platform
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Hanwang E-face General Management Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-29T12:54:33.875Z

Reserved: 2026-06-28T11:00:06.749Z

Link: CVE-2026-13547

cve-icon Vulnrichment

Updated: 2026-06-29T12:54:30.108Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T14:15:05Z

Weaknesses
  • CWE-284

    Improper Access Control

  • CWE-434

    Unrestricted Upload of File with Dangerous Type