Arbitrary Code Execution

Affecting blueimp-file-upload package, versions <9.22.1

Do your applications use this vulnerable package? Test your applications

Overview

blueimp-file-upload is a File Upload widget with multiple file selection, drag&drop support, progress bars, validation and preview images, audio and video for jQuery.

Affected versions of this package are vulnerable to Arbitrary Code Execution due to allowing the upload of arbitrary files. It did not require any validation to upload files to the server.

Remediation

Upgrade blueimp-file-upload to version 9.22.1 or higher.

References

CVSS Score

7.3
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    Low
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:H/RL:O
Credit
Larry W Cashdollar
CVE
CVE-2018-9206
CWE
CWE-434
Snyk ID
SNYK-JS-BLUEIMPFILEUPLOAD-72453
Disclosed
09 Oct, 2018
Published
15 Oct, 2018