Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Product: Microweber
Product Version: 1.1.18
Vulnerability:
Unrestricted File upload / No validation of Image extensions on add image functionality on profile page
Description:
The component is: Admin Account Profile Page. The attack vector is: No Validation on Profile Image upload.
The vulnerability has been identified on Admin account Page. An attacker can upload PHP code or any extension (eg- .exe) to the webserver, by providing image data and the image/jpeg content type, with a .php extension.
Attack Type: Local
Impact:
No Validation on Profile Image upload which leads to upload any type of extension on admin profile upload.
Reference:
https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.