Arbitrary Code Execution

Affecting jquery-file-upload package, ALL versions

Do your applications use this vulnerable package? Test your applications

Overview

jquery-file-upload provides Multiple file Uploads with progress bar.

Affected versions of this package contain demo code which is vulnerable to Arbitrary Code Execution due to allowing the upload of arbitrary files. It did not require any validation to upload files to the server. Using the upload.php demo code will leave users vulnerable.

Remediation

There is no fix version for jquery-file-upload, however it is possible to use the core components safely so long as users do not implement the demo code found in the upload.php file.

References

CVSS Score

3.1
low severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    None
  • Integrity
    Low
  • Availability
    None
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:F/RL:W/RC:C
Credit
Unknown
CVE
CVE-2018-9207
CWE
CWE-94
Snyk ID
SNYK-JS-JQUERYFILEUPLOAD-72622
Disclosed
02 Nov, 2018
Published
22 Nov, 2018