virendratiwari03/Mircoweber: No validation of Image extensions on add image functionality on profile page Secret

## Mircoweber: No validation of Image extensions on add image functionality on profile page
Product: Microweber

Product Version: 1.1.18

Vulnerability:
Unrestricted File upload / No validation of Image extensions on add image functionality on profile page

Description:
The component is: Admin Account Profile Page. The attack vector is: No Validation on Profile Image upload.
The vulnerability has been identified on Admin account Page. An attacker can upload PHP code or any extension (eg- .exe) to the webserver, by providing image data and the image/jpeg content type, with a .php extension.

Attack Type: Local

Impact:
No Validation on Profile Image upload which leads to upload any type of extension on admin profile upload.

Reference:
https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
	Product: Microweber

	Product Version: 1.1.18

	Vulnerability:
	Unrestricted File upload / No validation of Image extensions on add image functionality on profile page

	Description:
	The component is: Admin Account Profile Page. The attack vector is: No Validation on Profile Image upload.
	The vulnerability has been identified on Admin account Page. An attacker can upload PHP code or any extension (eg- .exe) to the webserver, by providing image data and the image/jpeg content type, with a .php extension.

	Attack Type: Local

	Impact:
	No Validation on Profile Image upload which leads to upload any type of extension on admin profile upload.

	Reference:
	https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
	https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html