CVE-2019-7684

CRITICAL

inxedu <2018-12-24 - Code Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-7684. PoCs published by inxeduopen.

AI-analyzed exploit summary The writeup details a file upload vulnerability in inxedu through 2018-12-24, where the fileType parameter can be manipulated to bypass extension checks, allowing malicious JSP file uploads. It includes technical analysis, vulnerable code location, and a proof-of-concept demonstration.

Description

inxedu through 2018-12-24 has a vulnerability that can lead to the upload of a malicious JSP file. The vulnerable code location is com.inxedu.os.common.controller.VideoUploadController#gok4 (com/inxedu/os/common/controller/VideoUploadController.java). The attacker uses the /video/uploadvideo fileType parameter to change the list of acceptable extensions from jpg,gif,png,jpeg to jpg,gif,png,jsp,jpeg.

Exploits (1)

gitee WRITEUP 1,602 stars
by inxeduopen · javawriteup
https://gitee.com/inxeduopen/inxedu/issues/IQJUH

The writeup details a file upload vulnerability in inxedu through 2018-12-24, where the fileType parameter can be manipulated to bypass extension checks, allowing malicious JSP file uploads. It includes technical analysis, vulnerable code location, and a proof-of-concept demonstration.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: inxedu through 2018-12-24
No auth needed
Prerequisites: access to the file upload endpoint
devstral-2 · analyzed Mar 04, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://gitee.com/inxeduopen/inxedu/issues/IQJUH

Scores

CVSS v3 9.8
EPSS 0.0072
EPSS Percentile 72.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-434
Status published
Products (1)
inxedu/inxedu < 2018-12-24
Published Feb 09, 2019
Tracked Since Feb 18, 2026