LiveBOS, an object-oriented business architecture middleware by Fujian Apex Software Co. Ltd., contains an arbitrary file upload vulnerability (CWE-434) combined with path traversal (CWE-22) in the UploadFile.do;.js.jsp endpoint. This flaw permits unauthenticated attackers to upload malicious files outside the intended directory structure by manipulating the filename parameter. Successful exploitation may enable remote code execution on the server, resulting in full system compromise. The vulnerability affects LiveBOS Server builds prior to August 2024. While newer versions reportedly remediate this issue, no explicit patch or vendor advisory is currently available. The vulnerability was publicly disclosed and exploitation evidence was noted by Shadowserver Foundation on 2024-08-23 UTC. The CVSS 4.0 score is 10.0, reflecting critical impact with network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, availability, scope, and security requirements.

The vulnerability allows unauthenticated remote attackers to upload arbitrary files outside the intended directory via path traversal, potentially leading to remote code execution on the LiveBOS server. This can result in full system compromise, including unauthorized access, data manipulation, and service disruption. The critical CVSS score of 10.0 underscores the severity and ease of exploitation without any privileges or user interaction.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The vulnerability is reportedly fixed in newer versions released after August 2024, so upgrading to the latest LiveBOS version is recommended once official updates are available. Until then, restrict access to the vulnerable endpoint and monitor for suspicious file uploads. Avoid exposing the UploadFile.do;.js.jsp endpoint to untrusted networks. Follow vendor communications closely for official patches or workarounds.