๐Ÿ” CVE Alert

CVE-2022-50973

CRITICAL 9.8

Yonyou KSOA 9.0 Unauthenticated File Upload RCE via ImageUpload Servlet

CVSS Score
9.8
EPSS Score
0.0%
EPSS Percentile
0th

Yonyou KSOA 9.0 contains an unauthenticated arbitrary file upload vulnerability in the com.sksoft.bill.ImageUpload servlet that allows unauthenticated attackers to upload arbitrary files by submitting a POST request with attacker-controlled filepath and filename parameters without any authentication, file type, extension, or content validation. Attackers can upload a JSP webshell by specifying a malicious filename and root filepath, with the uploaded file stored under the pictures directory and directly executed by the web server, resulting in unauthenticated remote code execution. Exploitation evidence was first observed by the Shadowserver Foundation on 2023-11-07 (UTC).

CWE CWE-434
Vendor yonyou network technology co., ltd.
Product ksoa
Published Jul 2, 2026
Last Updated Jul 2, 2026
Stay Ahead of the Next One

Get instant alerts for yonyou network technology co., ltd. ksoa

Be the first to know when new critical vulnerabilities affecting yonyou network technology co., ltd. ksoa are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

Yonyou Network Technology Co., Ltd. / KSOA
9.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
cn-sec.com: https://cn-sec.com/archives/1329088.html buaq.net: https://buaq.net/go-167023.html cnblogs.com: https://www.cnblogs.com/yang-miemie/p/17714927.html yonyou.com: https://www.yonyou.com/ vulncheck.com: https://www.vulncheck.com/advisories/yonyou-ksoa-unauthenticated-file-upload-rce-via-imageupload-servlet

Credits

๐Ÿ” The Shadowserver Foundation