CVE-2026-4220 - Vulnerability Details

Description

A vulnerability has been found in Technologies Integrated Management Platform 7.17.0. Affected by this issue is some unknown functionality of the file /SetWebpagePic.jsp. The manipulation of the argument targetPath/Suffix leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-03-16

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A vulnerability exists in the SetWebpagePic.jsp component of Technologies Integrated Management Platform (version 7.17.0). Manipulation of the targetPath and Suffix parameters allows an attacker to upload arbitrary files without restrictions. The uploaded content can include malicious scripts or binaries, giving the attacker the ability to potentially execute code on the server. Derived from the vendor description, this issue results in an unrestricted upload vector that is exploitable remotely.

Affected Systems

The affected product is Technologies Integrated Management Platform, specifically version 7.17.0 as listed by the CNA. No additional affected versions are documented in the provided data.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity, and the EPSS score of fewer than 1% suggests a low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, implying it has not yet been observed in widespread attacks. Attack initiation is explicitly stated as possible remotely, and the presence of authentication bypass (CWE‑284) and unrestricted file upload (CWE‑434) weaknesses further support an attack path that could lead to remote code execution if an attacker succeeds in uploading executable content.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Technologies

Integrated Management Platform

affected

Version	Status	Constraints
`7.17.0`	affected	—

No data.

Vendor Product Confidence Versions

Technologies

Integrated Management Platform

100%

Version	Status	Scheme	Platform
`7.17.0`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Verify whether a vendor patch or newer product version is available and apply it immediately.
If no official fix exists, restrict the /SetWebpagePic.jsp upload endpoint at the web server level or disable the JSP to prevent unauthenticated file uploads.
Implement file type and path validation within the application to ensure only allowed image types are accepted and stored in a non-executable directory.
Monitor web server logs for suspicious upload activity and block offending IP addresses or users that attempt to exploit the upload functionality.

Generated by OpenCVE AI on March 17, 2026 at 11:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.0005.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://my.feishu.cn/docx/EA9HdaXaQo80yTxKdw0c3UDmnmD?from=from_copylink
https://vuldb.com/?ctiid.351144
https://vuldb.com/?id.351144
https://vuldb.com/?submit.770523

History

Tue, 17 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Technologies Technologies integrated Management Platform
Vendors & Products		Technologies Technologies integrated Management Platform

Mon, 16 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 16 Mar 2026 07:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability has been found in Technologies Integrated Management Platform 7.17.0. Affected by this issue is some unknown functionality of the file /SetWebpagePic.jsp. The manipulation of the argument targetPath/Suffix leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		Technologies Integrated Management Platform SetWebpagePic.jsp unrestricted upload
Weaknesses		CWE-284 CWE-434
References		https://my.feishu.cn/docx/EA9HdaXaQo80yTxKdw0c3UDmnmD?from=from_copylink https://vuldb.com/?ctiid.351144 https://vuldb.com/?id.351144 https://vuldb.com/?submit.770523
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Technologies Integrated Management Platform

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-16T06:02:23.103Z

Updated: 2026-03-16T15:21:24.965Z

Reserved: 2026-03-15T16:30:48.426Z

Link: CVE-2026-4220

Vulnrichment

Updated: 2026-03-16T15:21:17.937Z

NVD

Status : Awaiting Analysis

Published: 2026-03-16T14:20:13.107

Modified: 2026-03-16T14:53:07.390

Link: CVE-2026-4220

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-24T10:45:45Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object