Skip to main content

Jingmen Zeyou Large File Upload Control CVE-2025-8203

LOW
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2025-07-26 cna@vuldb.com
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 01:30 vuln.today

DescriptionCVE.org

A vulnerability classified as critical has been found in Jingmen Zeyou Large File Upload Control up to 6.3. Affected is an unknown function of the file /index.jsp. The manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

SQL injection in Jingmen Zeyou Large File Upload Control through version 6.3 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /index.jsp, with publicly available exploit code and vendor non-responsiveness indicating limited remediation prospects.

Technical ContextAI

The vulnerability exists in the /index.jsp endpoint of a file upload control component used for handling large file transfers. The vulnerability is rooted in improper input validation (CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component) where user-supplied input in the ID parameter is directly incorporated into SQL queries without sanitization or parameterized statement usage. The affected product is a JSP-based web component (CPE: cpe:2.3:a:jingmen_zeyou:large_file_upload_control:*:*:*:*:*:*:*:*), suggesting a legacy or third-party Java-based upload handler. The attack requires authenticated access (PR:L in CVSS vector), meaning an attacker must first obtain valid user credentials or session tokens.

RemediationAI

No vendor-released patch has been made available at time of analysis, as the vendor declined to respond to early disclosure notifications. Organizations should immediately inventory systems using Jingmen Zeyou Large File Upload Control and assess whether this component remains in active use. Primary mitigation options include: (1) Upgrade to a maintained alternative file upload solution with active security support, (2) Disable the /index.jsp endpoint or restrict network access to it via Web Application Firewall (WAF) rules or network segmentation if the component is still required, or (3) Implement database-level SQL injection protections such as input validation rules, stored procedure whitelisting, or parameterized query enforcement at the database tier (noting this adds latency but prevents direct SQL injection). If the component cannot be retired immediately, apply principle of least privilege by restricting user accounts that can access the file upload functionality. Given the vendor non-responsiveness and EPSS data indicating limited real-world exploitation, this remediation may be deferred in favor of higher-priority vulnerabilities unless inventory assessment confirms active use in critical systems.

Share

CVE-2025-8203 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy