Impact
A flaw in Hanwang e‑Face General Management Platform 6.3.5.4 allows an attacker to upload any file to the /manage/resourceUpload/upload.do endpoint because the File argument is not properly validated. This is an instance of CWE‑434 (Unrestricted Upload of File with Dangerous Type) combined with CWE‑284 (Improper Access Control). By uploading executable or script files, a threat actor can achieve remote code execution, privilege escalation, or defacement of the web application. The vulnerability is exploitable from a remote location and an exploit has already been publicly disclosed.
Affected Systems
The vendor affected is Hanwang, specifically its e‑Face General Management Platform. The documented vulnerable version is 6.3.5.4. No other versions or product variants are listed as affected in the CNA data.
Risk and Exploitability
The CVSS score of 6.9 indicates moderate but significant risk; the EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can reach the vulnerable endpoint over HTTP(S) and supply a crafted file without restrictions, suggesting a straightforward remote exploitation path. Given the public disclosure, the likelihood of exploitation is uncertain but non‑negligible.
OpenCVE Enrichment