CVE-2018-18830
MCMS 4.6.5 is affected by a flaw in com\mingsoft\basic\action\web\FileAction.java where the upload interface does not verify login status, allowing an attacker to upload JSP content disguised as a .png file and then coerce a suffix change to .jsp to access a stored path and execute arbitrary JSP ...