Last active
November 4, 2020 06:43
-
-
Save virendratiwari03/0918aaba97eba31666630996ab3aeec3 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Product: Microweber | |
Product Version: 1.1.18 | |
Vulnerability: | |
Unrestricted File upload / No validation of Image extensions on add image functionality on profile page | |
Description: | |
The component is: Admin Account Profile Page. The attack vector is: No Validation on Profile Image upload. | |
The vulnerability has been identified on Admin account Page. An attacker can upload PHP code or any extension (eg- .exe) to the webserver, by providing image data and the image/jpeg content type, with a .php extension. | |
Attack Type: Local | |
Impact: | |
No Validation on Profile Image upload which leads to upload any type of extension on admin profile upload. | |
Reference: | |
https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html | |
https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment