This vulnerability (CWE-434) in ActiveDEMAND allows an attacker to upload files of dangerous types without restriction. Such unrestricted file upload vulnerabilities can enable attackers to execute arbitrary code, upload web shells, or otherwise compromise the affected system. The vulnerability affects ActiveDEMAND versions through 0.2.41. The CVSS 3.1 base score is 10.0, reflecting a critical risk with network attack vector, no privileges or user interaction required, and full impact on confidentiality, integrity, and availability. No vendor advisory or patch information is currently available, and no known exploits are reported in the wild.

Successful exploitation of this vulnerability can lead to full system compromise, including unauthorized code execution, data theft, and service disruption. The CVSS score of 10.0 indicates critical impact across confidentiality, integrity, and availability. Since the vulnerability allows uploading malicious files without restriction, attackers could leverage this to deploy malware or gain persistent access to the affected environment.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, organizations should consider implementing compensating controls such as restricting file upload functionality, validating and sanitizing uploaded files, and monitoring for suspicious file uploads. However, these are general mitigations and may not fully prevent exploitation. Continuous monitoring for updates from JumpDEMAND Inc. is recommended.