Common Weakness Enumeration

CWE-434

Allowed

Unrestricted Upload of File with Dangerous Type

Abstraction: Base · Status: Draft

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

5969 vulnerabilities reference this CWE, most recent first.

CVE-2023-22450 (GCVE-0-2023-22450)

Vulnerability from cvelistv5 – Published: 2023-06-05 23:17 – Updated: 2025-01-08 14:21
VLAI
Summary
In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file upload vulnerability that could allow an attacker to upload an ASP script file to a webserver when logged in as manager user, which can lead to arbitrary code execution.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
Impacted products
Vendor Product Version
Advantech WebAccess/SCADA Affected: 0 , ≤ v9.1.3 (custom)
Create a notification for this product.
Date Public
2023-06-01 17:00
Credits
YangLiu from Elex Feigong Research Institute reported these vulnerabilities to CISA.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T10:13:48.320Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-152-01"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-22450",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-08T14:21:03.532091Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-08T14:21:41.605Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "WebAccess/SCADA",
          "vendor": "Advantech",
          "versions": [
            {
              "lessThanOrEqual": "v9.1.3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "YangLiu from Elex Feigong Research Institute reported these vulnerabilities to CISA."
        }
      ],
      "datePublic": "2023-06-01T17:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIn Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file upload vulnerability that could allow an attacker to upload an ASP script file to a webserver when logged in as manager user, which can lead to arbitrary code execution.\u003c/span\u003e\n\n\u003c/span\u003e\n\n"
            }
          ],
          "value": "\n\n\nIn Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file upload vulnerability that could allow an attacker to upload an ASP script file to a webserver when logged in as manager user, which can lead to arbitrary code execution.\n\n\n\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-06-05T23:17:47.003Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-152-01"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAdvantech recommends WebAccess/SCADA users upgrade to \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.advantech.com/en/support/details/installation?id=1-MS9MJV\"\u003ev9.1.4\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e. \u003c/span\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "\nAdvantech recommends WebAccess/SCADA users upgrade to  v9.1.4 https://www.advantech.com/en/support/details/installation . \n\n\n"
        }
      ],
      "source": {
        "advisory": "ICSA-23-152-01",
        "discovery": "EXTERNAL"
      },
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2023-22450",
    "datePublished": "2023-06-05T23:17:47.003Z",
    "dateReserved": "2023-05-22T18:07:54.484Z",
    "dateUpdated": "2025-01-08T14:21:41.605Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-20196 (GCVE-0-2023-20196)

Vulnerability from cvelistv5 – Published: 2023-11-01 17:01 – Updated: 2024-08-02 09:05
VLAI
Summary
Two vulnerabilities in Cisco ISE could allow an authenticated, remote attacker to upload arbitrary files to an affected device. To exploit these vulnerabilities, an attacker must have valid Administrator credentials on the affected device. These vulnerabilities are due to improper validation of files that are uploaded to the web-based management interface. An attacker could exploit these vulnerabilities by uploading a crafted file to an affected device. A successful exploit could allow the attacker to store malicious files in specific directories on the device. The attacker could later use those files to conduct additional attacks, including executing arbitrary code on the affected device with root privileges.
CWE
  • CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
Impacted products
Vendor Product Version
Cisco Cisco Identity Services Engine Software Affected: 2.6.0
Affected: 2.6.0 p1
Affected: 2.6.0 p2
Affected: 2.6.0 p3
Affected: 2.6.0 p5
Affected: 2.6.0 p6
Affected: 2.6.0 p7
Affected: 2.6.0 p8
Affected: 2.6.0 p9
Affected: 2.6.0 p10
Affected: 2.6.0 p11
Affected: 2.6.0 p12
Affected: 2.7.0
Affected: 2.7.0 p1
Affected: 2.7.0 p2
Affected: 2.7.0 p3
Affected: 2.7.0 p4
Affected: 2.7.0 p5
Affected: 2.7.0 p6
Affected: 2.7.0 p7
Affected: 2.7.0 p9
Affected: 3.0.0
Affected: 3.0.0 p1
Affected: 3.0.0 p2
Affected: 3.0.0 p3
Affected: 3.0.0 p4
Affected: 3.0.0 p5
Affected: 3.0.0 p6
Affected: 3.0.0 p7
Affected: 3.1.0
Affected: 3.1.0 p1
Affected: 3.1.0 p3
Affected: 3.1.0 p4
Affected: 3.1.0 p5
Affected: 3.1.0 p6
Affected: 3.1.0 p7
Affected: 3.2.0
Affected: 3.2.0 p1
Affected: 3.2.0 p2
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T09:05:36.920Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "cisco-sa-ise-file-upload-FceLP4xs",
            "tags": [
              "x_transferred"
            ],
            "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-file-upload-FceLP4xs"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Cisco Identity Services Engine Software",
          "vendor": "Cisco",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.0"
            },
            {
              "status": "affected",
              "version": "2.6.0 p1"
            },
            {
              "status": "affected",
              "version": "2.6.0 p2"
            },
            {
              "status": "affected",
              "version": "2.6.0 p3"
            },
            {
              "status": "affected",
              "version": "2.6.0 p5"
            },
            {
              "status": "affected",
              "version": "2.6.0 p6"
            },
            {
              "status": "affected",
              "version": "2.6.0 p7"
            },
            {
              "status": "affected",
              "version": "2.6.0 p8"
            },
            {
              "status": "affected",
              "version": "2.6.0 p9"
            },
            {
              "status": "affected",
              "version": "2.6.0 p10"
            },
            {
              "status": "affected",
              "version": "2.6.0 p11"
            },
            {
              "status": "affected",
              "version": "2.6.0 p12"
            },
            {
              "status": "affected",
              "version": "2.7.0"
            },
            {
              "status": "affected",
              "version": "2.7.0 p1"
            },
            {
              "status": "affected",
              "version": "2.7.0 p2"
            },
            {
              "status": "affected",
              "version": "2.7.0 p3"
            },
            {
              "status": "affected",
              "version": "2.7.0 p4"
            },
            {
              "status": "affected",
              "version": "2.7.0 p5"
            },
            {
              "status": "affected",
              "version": "2.7.0 p6"
            },
            {
              "status": "affected",
              "version": "2.7.0 p7"
            },
            {
              "status": "affected",
              "version": "2.7.0 p9"
            },
            {
              "status": "affected",
              "version": "3.0.0"
            },
            {
              "status": "affected",
              "version": "3.0.0 p1"
            },
            {
              "status": "affected",
              "version": "3.0.0 p2"
            },
            {
              "status": "affected",
              "version": "3.0.0 p3"
            },
            {
              "status": "affected",
              "version": "3.0.0 p4"
            },
            {
              "status": "affected",
              "version": "3.0.0 p5"
            },
            {
              "status": "affected",
              "version": "3.0.0 p6"
            },
            {
              "status": "affected",
              "version": "3.0.0 p7"
            },
            {
              "status": "affected",
              "version": "3.1.0"
            },
            {
              "status": "affected",
              "version": "3.1.0 p1"
            },
            {
              "status": "affected",
              "version": "3.1.0 p3"
            },
            {
              "status": "affected",
              "version": "3.1.0 p4"
            },
            {
              "status": "affected",
              "version": "3.1.0 p5"
            },
            {
              "status": "affected",
              "version": "3.1.0 p6"
            },
            {
              "status": "affected",
              "version": "3.1.0 p7"
            },
            {
              "status": "affected",
              "version": "3.2.0"
            },
            {
              "status": "affected",
              "version": "3.2.0 p1"
            },
            {
              "status": "affected",
              "version": "3.2.0 p2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Two vulnerabilities in Cisco ISE could allow an authenticated, remote attacker to upload arbitrary files to an affected device. To exploit these vulnerabilities, an attacker must have valid Administrator credentials on the affected device. These vulnerabilities are due to improper validation of files that are uploaded to the web-based management interface. An attacker could exploit these vulnerabilities by uploading a crafted file to an affected device. A successful exploit could allow the attacker to store malicious files in specific directories on the device. The attacker could later use those files to conduct additional attacks, including executing arbitrary code on the affected device with root privileges."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "format": "cvssV3_1"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "Unrestricted Upload of File with Dangerous Type",
              "lang": "en",
              "type": "cwe"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-01-25T16:57:54.983Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "name": "cisco-sa-ise-file-upload-FceLP4xs",
          "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-file-upload-FceLP4xs"
        }
      ],
      "source": {
        "advisory": "cisco-sa-ise-file-upload-FceLP4xs",
        "defects": [
          "CSCwd93720"
        ],
        "discovery": "INTERNAL"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2023-20196",
    "datePublished": "2023-11-01T17:01:34.690Z",
    "dateReserved": "2022-10-27T18:47:50.365Z",
    "dateUpdated": "2024-08-02T09:05:36.920Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-20195 (GCVE-0-2023-20195)

Vulnerability from cvelistv5 – Published: 2023-11-01 16:59 – Updated: 2024-08-02 09:05
VLAI
Summary
Two vulnerabilities in Cisco ISE could allow an authenticated, remote attacker to upload arbitrary files to an affected device. To exploit these vulnerabilities, an attacker must have valid Administrator credentials on the affected device. These vulnerabilities are due to improper validation of files that are uploaded to the web-based management interface. An attacker could exploit these vulnerabilities by uploading a crafted file to an affected device. A successful exploit could allow the attacker to store malicious files in specific directories on the device. The attacker could later use those files to conduct additional attacks, including executing arbitrary code on the affected device with root privileges.
CWE
  • CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
Impacted products
Vendor Product Version
Cisco Cisco Identity Services Engine Software Affected: 2.6.0
Affected: 2.6.0 p1
Affected: 2.6.0 p2
Affected: 2.6.0 p3
Affected: 2.6.0 p5
Affected: 2.6.0 p6
Affected: 2.6.0 p7
Affected: 2.6.0 p8
Affected: 2.6.0 p9
Affected: 2.6.0 p10
Affected: 2.6.0 p11
Affected: 2.6.0 p12
Affected: 2.7.0
Affected: 2.7.0 p1
Affected: 2.7.0 p2
Affected: 2.7.0 p3
Affected: 2.7.0 p4
Affected: 2.7.0 p5
Affected: 2.7.0 p6
Affected: 2.7.0 p7
Affected: 2.7.0 p9
Affected: 3.0.0
Affected: 3.0.0 p1
Affected: 3.0.0 p2
Affected: 3.0.0 p3
Affected: 3.0.0 p4
Affected: 3.0.0 p5
Affected: 3.0.0 p6
Affected: 3.0.0 p7
Affected: 3.1.0
Affected: 3.1.0 p1
Affected: 3.1.0 p3
Affected: 3.1.0 p4
Affected: 3.1.0 p5
Affected: 3.1.0 p6
Affected: 3.1.0 p7
Affected: 3.2.0
Affected: 3.2.0 p1
Affected: 3.2.0 p2
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T09:05:35.963Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "cisco-sa-ise-file-upload-FceLP4xs",
            "tags": [
              "x_transferred"
            ],
            "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-file-upload-FceLP4xs"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Cisco Identity Services Engine Software",
          "vendor": "Cisco",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.0"
            },
            {
              "status": "affected",
              "version": "2.6.0 p1"
            },
            {
              "status": "affected",
              "version": "2.6.0 p2"
            },
            {
              "status": "affected",
              "version": "2.6.0 p3"
            },
            {
              "status": "affected",
              "version": "2.6.0 p5"
            },
            {
              "status": "affected",
              "version": "2.6.0 p6"
            },
            {
              "status": "affected",
              "version": "2.6.0 p7"
            },
            {
              "status": "affected",
              "version": "2.6.0 p8"
            },
            {
              "status": "affected",
              "version": "2.6.0 p9"
            },
            {
              "status": "affected",
              "version": "2.6.0 p10"
            },
            {
              "status": "affected",
              "version": "2.6.0 p11"
            },
            {
              "status": "affected",
              "version": "2.6.0 p12"
            },
            {
              "status": "affected",
              "version": "2.7.0"
            },
            {
              "status": "affected",
              "version": "2.7.0 p1"
            },
            {
              "status": "affected",
              "version": "2.7.0 p2"
            },
            {
              "status": "affected",
              "version": "2.7.0 p3"
            },
            {
              "status": "affected",
              "version": "2.7.0 p4"
            },
            {
              "status": "affected",
              "version": "2.7.0 p5"
            },
            {
              "status": "affected",
              "version": "2.7.0 p6"
            },
            {
              "status": "affected",
              "version": "2.7.0 p7"
            },
            {
              "status": "affected",
              "version": "2.7.0 p9"
            },
            {
              "status": "affected",
              "version": "3.0.0"
            },
            {
              "status": "affected",
              "version": "3.0.0 p1"
            },
            {
              "status": "affected",
              "version": "3.0.0 p2"
            },
            {
              "status": "affected",
              "version": "3.0.0 p3"
            },
            {
              "status": "affected",
              "version": "3.0.0 p4"
            },
            {
              "status": "affected",
              "version": "3.0.0 p5"
            },
            {
              "status": "affected",
              "version": "3.0.0 p6"
            },
            {
              "status": "affected",
              "version": "3.0.0 p7"
            },
            {
              "status": "affected",
              "version": "3.1.0"
            },
            {
              "status": "affected",
              "version": "3.1.0 p1"
            },
            {
              "status": "affected",
              "version": "3.1.0 p3"
            },
            {
              "status": "affected",
              "version": "3.1.0 p4"
            },
            {
              "status": "affected",
              "version": "3.1.0 p5"
            },
            {
              "status": "affected",
              "version": "3.1.0 p6"
            },
            {
              "status": "affected",
              "version": "3.1.0 p7"
            },
            {
              "status": "affected",
              "version": "3.2.0"
            },
            {
              "status": "affected",
              "version": "3.2.0 p1"
            },
            {
              "status": "affected",
              "version": "3.2.0 p2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Two vulnerabilities in Cisco ISE could allow an authenticated, remote attacker to upload arbitrary files to an affected device. To exploit these vulnerabilities, an attacker must have valid Administrator credentials on the affected device. These vulnerabilities are due to improper validation of files that are uploaded to the web-based management interface. An attacker could exploit these vulnerabilities by uploading a crafted file to an affected device. A successful exploit could allow the attacker to store malicious files in specific directories on the device. The attacker could later use those files to conduct additional attacks, including executing arbitrary code on the affected device with root privileges."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "format": "cvssV3_1"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "Unrestricted Upload of File with Dangerous Type",
              "lang": "en",
              "type": "cwe"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-01-25T16:57:54.662Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "name": "cisco-sa-ise-file-upload-FceLP4xs",
          "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-file-upload-FceLP4xs"
        }
      ],
      "source": {
        "advisory": "cisco-sa-ise-file-upload-FceLP4xs",
        "defects": [
          "CSCwd93717"
        ],
        "discovery": "INTERNAL"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2023-20195",
    "datePublished": "2023-11-01T16:59:40.981Z",
    "dateReserved": "2022-10-27T18:47:50.365Z",
    "dateUpdated": "2024-08-02T09:05:35.963Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-20073 (GCVE-0-2023-20073)

Vulnerability from cvelistv5 – Published: 2023-04-05 00:00 – Updated: 2024-10-28 16:31
VLAI
Title
Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Arbitrary File Upload Vulnerability
Summary
A vulnerability in the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device. This vulnerability is due to insufficient authorization enforcement mechanisms in the context of file uploads. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to upload arbitrary files to the affected device.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Date Public
2023-02-02 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T08:57:35.586Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "20230202 Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Arbitrary File Upload Vulnerability",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-rv-afu-EXxwA65V"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-20073",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-28T16:24:28.915280Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-28T16:31:07.204Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Cisco Small Business RV Series Router Firmware",
          "vendor": "Cisco",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2023-02-02T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device. This vulnerability is due to insufficient authorization enforcement mechanisms in the context of file uploads. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to upload arbitrary files to the affected device."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-04-05T00:00:00.000Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "name": "20230202 Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Arbitrary File Upload Vulnerability",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-rv-afu-EXxwA65V"
        }
      ],
      "source": {
        "advisory": "cisco-sa-sb-rv-afu-EXxwA65V",
        "defect": [
          [
            "CSCwe04040"
          ]
        ],
        "discovery": "INTERNAL"
      },
      "title": "Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Arbitrary File Upload Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2023-20073",
    "datePublished": "2023-04-05T00:00:00.000Z",
    "dateReserved": "2022-10-27T00:00:00.000Z",
    "dateUpdated": "2024-10-28T16:31:07.204Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-7330 (GCVE-0-2023-7330)

Vulnerability from cvelistv5 – Published: 2025-11-24 20:31 – Updated: 2025-11-25 13:04 X_Known Exploited Vulnerability
VLAI
Title
Ruijie Networks NBR Routers Unauthenticated Arbitrary File Upload via fileupload.php
Summary
Ruijie NBR series routers contain an unauthenticated arbitrary file upload vulnerability via /ddi/server/fileupload.php. The endpoint accepts attacker-supplied values in the name and uploadDir parameters and saves the provided multipart file content without adequate validation or sanitization of file type, path, or extension. A remote attacker can upload a crafted PHP file and then access it from the web root, resulting in arbitrary code execution in the context of the web service. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-14 UTC.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-7330",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-24T21:06:20.265588Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-24T21:06:27.538Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "NBR Series Routers",
          "vendor": "Beijing Star-Net Ruijie Network Technology Co., Ltd.",
          "versions": [
            {
              "status": "affected",
              "version": "0"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:h:ruijie:rg-nbr*:-:*:*:*:*:*:*:*",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Ruijie NBR series routers contain an unauthenticated arbitrary file upload vulnerability via /ddi/server/fileupload.php. The endpoint accepts attacker-supplied values in the name and uploadDir parameters and saves the provided multipart file content without adequate validation or sanitization of file type, path, or extension. A remote attacker can upload a crafted PHP file and then access it from the web root, resulting in arbitrary code execution in the context of the web service.\u0026nbsp;Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-14 UTC."
            }
          ],
          "value": "Ruijie NBR series routers contain an unauthenticated arbitrary file upload vulnerability via /ddi/server/fileupload.php. The endpoint accepts attacker-supplied values in the name and uploadDir parameters and saves the provided multipart file content without adequate validation or sanitization of file type, path, or extension. A remote attacker can upload a crafted PHP file and then access it from the web root, resulting in arbitrary code execution in the context of the web service.\u00a0Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-14 UTC."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-25T13:04:06.622Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/ruijie/ruijie-nbr-fileupload.yaml"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://cn-sec.com/archives/1995366.html"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://www.cnblogs.com/Domren/articles/19093295"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://rfk0z.github.io/posts/Ruijie-NBR-router-fileupload-php-arbitrary-file-upload-vulnerability/"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/ruijie-networks-nbr-routers-unauthenticated-arbitrary-file-upload-via-fileuploadphp"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "tags": [
        "x_known-exploited-vulnerability"
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-01-01T17:00:00.000Z",
          "value": "Vulnerability is publicly disclosed in 2023"
        }
      ],
      "title": "Ruijie Networks NBR Routers Unauthenticated Arbitrary File Upload via fileupload.php",
      "x_generator": {
        "engine": "vulncheck"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2023-7330",
    "datePublished": "2025-11-24T20:31:19.914Z",
    "dateReserved": "2025-11-24T19:18:42.972Z",
    "dateUpdated": "2025-11-25T13:04:06.622Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2023-7309 (GCVE-0-2023-7309)

Vulnerability from cvelistv5 – Published: 2025-08-27 21:23 – Updated: 2026-05-25 23:41 X_Known Exploited Vulnerability Unsupported When Assigned
VLAI
Title
Dahua Smart Park Integrated Management Platform Front-End Arbitrary File Upload
Summary
A path traversal vulnerability exists in the Dahua Smart Park Integrated Management Platform (also referred to as the Dahua Smart Campus Integrated Management Platform), affecting the SOAP-based GIS bitmap upload interface. The flaw allows unauthenticated remote attackers to upload arbitrary files to the server via crafted SOAP requests, including executable JSP payloads. Successful exploitation may lead to remote code execution (RCE) and full compromise of the affected system. The vulnerability is presumed to affect builds released prior to September 2023 and is said to be remediated in newer versions of the product, though the exact affected range remains undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-02-15 UTC.
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-434 - Unrestricted Upload of File with Dangerous Type
  • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
Impacted products
Credits
Li Huohuo
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-7309",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-28T13:57:30.923294Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-28T13:57:49.018Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "GIS SOAP Webservice (/emap/webservice/gis/soap/bitmap)"
          ],
          "product": "Smart Park Integrated Management Platform",
          "vendor": "Zhejiang Dahua Technology Co., Ltd.",
          "versions": [
            {
              "lessThanOrEqual": "*",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Li Huohuo"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eA path traversal vulnerability exists in the Dahua Smart Park Integrated Management Platform (also referred to as the Dahua Smart Campus Integrated Management Platform), affecting the SOAP-based GIS bitmap upload interface. The flaw allows unauthenticated remote attackers to upload arbitrary files to the server via crafted SOAP requests, including executable JSP payloads. Successful exploitation may lead to remote code execution (RCE) and full compromise of the affected system.\u0026nbsp;The vulnerability is presumed to affect builds released prior to September 2023 and is said to be remediated in newer versions of the product, though the exact affected range remains undefined.\u0026nbsp;Exploitation evidence was first observed by the Shadowserver Foundation on \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e2024-02-15 UTC\u003c/span\u003e.\u003c/p\u003e"
            }
          ],
          "value": "A path traversal vulnerability exists in the Dahua Smart Park Integrated Management Platform (also referred to as the Dahua Smart Campus Integrated Management Platform), affecting the SOAP-based GIS bitmap upload interface. The flaw allows unauthenticated remote attackers to upload arbitrary files to the server via crafted SOAP requests, including executable JSP payloads. Successful exploitation may lead to remote code execution (RCE) and full compromise of the affected system.\u00a0The vulnerability is presumed to affect builds released prior to September 2023 and is said to be remediated in newer versions of the product, though the exact affected range remains undefined.\u00a0Exploitation evidence was first observed by the Shadowserver Foundation on 2024-02-15 UTC."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-126",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-126 Path Traversal"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-25T23:41:24.365Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://support.dahuatech.com/bulletin/info?IsDpValue=hJVIA5%2BGjY24RaJ%2FIGLBoTg6hGbLYAQKuf5hnmPaK9M%3D"
        },
        {
          "tags": [
            "technical-description",
            "exploit"
          ],
          "url": "https://developer.aliyun.com/article/1333161"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/tequilasunsh1ne/dahua_bitmap_fileupload"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/dahua-smart-park-integrated-management-platform-front-end-arbitrary-file-upload"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "tags": [
        "x_known-exploited-vulnerability",
        "unsupported-when-assigned"
      ],
      "title": "Dahua Smart Park Integrated Management Platform Front-End Arbitrary File Upload",
      "x_generator": {
        "engine": "vulncheck"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2023-7309",
    "datePublished": "2025-08-27T21:23:59.636Z",
    "dateReserved": "2025-08-27T16:57:56.857Z",
    "dateUpdated": "2026-05-25T23:41:24.365Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2023-7305 (GCVE-0-2023-7305)

Vulnerability from cvelistv5 – Published: 2025-10-15 01:24 – Updated: 2025-11-07 17:14 X_Known Exploited Vulnerability
VLAI
Title
SmartBI RMIServlet Unrestricted File Upload RCE
Summary
SmartBI V8, V9, and V10 contain an unrestricted file upload vulnerability via the RMIServlet request handling logic. Under certain configurations or usage patterns, attackers can send specially crafted requests that cause the application to perform sensitive operations or execute arbitrary code on the host. The vendor released a fix in July 2023 to address the underlying flaw. VulnCheck has observed this vulnerability being exploited in the wild.
SSVC
Exploitation: poc Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
Impacted products
Vendor Product Version
Guangzhou Smart Software Co., Ltd. SmartBI Affected: V8 , < July 2023 update (custom)
Affected: V9 , < July 2023 update (custom)
Affected: V10 , < July 2023 update (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-7305",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-15T18:40:09.175713Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-15T18:44:11.365Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SmartBI",
          "vendor": "Guangzhou Smart Software Co., Ltd.",
          "versions": [
            {
              "lessThan": "July 2023 update",
              "status": "affected",
              "version": "V8",
              "versionType": "custom"
            },
            {
              "lessThan": "July 2023 update",
              "status": "affected",
              "version": "V9",
              "versionType": "custom"
            },
            {
              "lessThan": "July 2023 update",
              "status": "affected",
              "version": "V10",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "SmartBI V8, V9, and V10 contain an unrestricted file upload vulnerability via the RMIServlet request handling logic. Under certain configurations or usage patterns, attackers can send specially crafted requests that cause the application to perform sensitive operations or execute arbitrary code on the host. The vendor released a fix in July 2023 to address the underlying flaw.\u0026nbsp;VulnCheck has observed this vulnerability being exploited in the wild.\u003cbr\u003e"
            }
          ],
          "value": "SmartBI V8, V9, and V10 contain an unrestricted file upload vulnerability via the RMIServlet request handling logic. Under certain configurations or usage patterns, attackers can send specially crafted requests that cause the application to perform sensitive operations or execute arbitrary code on the host. The vendor released a fix in July 2023 to address the underlying flaw.\u00a0VulnCheck has observed this vulnerability being exploited in the wild."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 9.2,
            "baseSeverity": "CRITICAL",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-07T17:14:37.318Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "tags": [
            "release-notes",
            "patch"
          ],
          "url": "https://www.smartbi.com.cn/patchinfo"
        },
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://avd.aliyun.com/detail?id=AVD-2023-1673292"
        },
        {
          "tags": [
            "technical-description",
            "exploit"
          ],
          "url": "https://jeyiuwai.pages.dev/posts/1day-%E8%B7%9F%E8%B8%AAsmartbi-rmiservlet-%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E/"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/smartbi-rmiservlet-unrestricted-file-upload-rce"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "tags": [
        "x_known-exploited-vulnerability"
      ],
      "title": "SmartBI RMIServlet Unrestricted File Upload RCE",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2023-7305",
    "datePublished": "2025-10-15T01:24:53.813Z",
    "dateReserved": "2025-07-24T13:59:55.261Z",
    "dateUpdated": "2025-11-07T17:14:37.318Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2023-7212 (GCVE-0-2023-7212)

Vulnerability from cvelistv5 – Published: 2024-01-07 16:31 – Updated: 2025-06-03 14:39
VLAI
Title
DeDeCMS Backend file_class.php unrestricted upload
Summary
A vulnerability classified as critical has been found in DeDeCMS up to 5.7.112. Affected is an unknown function of the file file_class.php of the component Backend. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249768. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
n/a DeDeCMS Affected: 5.7.112
Credits
Alphabug (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T08:57:35.819Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?id.249768"
          },
          {
            "tags": [
              "signature",
              "permissions-required",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?ctiid.249768"
          },
          {
            "tags": [
              "exploit",
              "x_transferred"
            ],
            "url": "https://hmxwjm7x03.feishu.cn/docx/FPjhdYcQvocR4gxy34Rc0pmon5e?from=from_copylink"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-7212",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-08T19:10:21.698440Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-03T14:39:35.133Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "Backend"
          ],
          "product": "DeDeCMS",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "5.7.112"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "analyst",
          "value": "Alphabug (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability classified as critical has been found in DeDeCMS up to 5.7.112. Affected is an unknown function of the file file_class.php of the component Backend. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249768. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."
        },
        {
          "lang": "de",
          "value": "Es wurde eine kritische Schwachstelle in DeDeCMS bis 5.7.112 entdeckt. Dabei betrifft es einen unbekannter Codeteil der Datei file_class.php der Komponente Backend. Mit der Manipulation mit unbekannten Daten kann eine unrestricted upload-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.7,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 4.7,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 5.8,
            "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434 Unrestricted Upload",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-01-07T16:31:03.923Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://vuldb.com/?id.249768"
        },
        {
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.249768"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://hmxwjm7x03.feishu.cn/docx/FPjhdYcQvocR4gxy34Rc0pmon5e?from=from_copylink"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-01-05T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2024-01-05T01:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2024-01-05T12:03:32.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "DeDeCMS Backend file_class.php unrestricted upload"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2023-7212",
    "datePublished": "2024-01-07T16:31:03.923Z",
    "dateReserved": "2024-01-05T10:57:59.580Z",
    "dateUpdated": "2025-06-03T14:39:35.133Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-7181 (GCVE-0-2023-7181)

Vulnerability from cvelistv5 – Published: 2023-12-30 18:00 – Updated: 2024-11-20 16:54
VLAI
Title
Muyun DedeBIZ Add Attachment unrestricted upload
Summary
A vulnerability was found in Muyun DedeBIZ up to 6.2.12 and classified as critical. Affected by this issue is some unknown functionality of the component Add Attachment Handler. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249368. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
Muyun DedeBIZ Affected: 6.2.0
Affected: 6.2.1
Affected: 6.2.2
Affected: 6.2.3
Affected: 6.2.4
Affected: 6.2.5
Affected: 6.2.6
Affected: 6.2.7
Affected: 6.2.8
Affected: 6.2.9
Affected: 6.2.10
Affected: 6.2.11
Affected: 6.2.12
Create a notification for this product.
Credits
JTZ- (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T08:50:08.191Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?id.249368"
          },
          {
            "tags": [
              "signature",
              "permissions-required",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?ctiid.249368"
          },
          {
            "tags": [
              "exploit",
              "x_transferred"
            ],
            "url": "https://github.com/JTZ-a/SRC/blob/master/DedeBIZ/DedeBIZ%20-%20file%20upload/README.md"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-7181",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-01-12T17:05:57.929657Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-20T16:54:58.291Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "Add Attachment Handler"
          ],
          "product": "DedeBIZ",
          "vendor": "Muyun",
          "versions": [
            {
              "status": "affected",
              "version": "6.2.0"
            },
            {
              "status": "affected",
              "version": "6.2.1"
            },
            {
              "status": "affected",
              "version": "6.2.2"
            },
            {
              "status": "affected",
              "version": "6.2.3"
            },
            {
              "status": "affected",
              "version": "6.2.4"
            },
            {
              "status": "affected",
              "version": "6.2.5"
            },
            {
              "status": "affected",
              "version": "6.2.6"
            },
            {
              "status": "affected",
              "version": "6.2.7"
            },
            {
              "status": "affected",
              "version": "6.2.8"
            },
            {
              "status": "affected",
              "version": "6.2.9"
            },
            {
              "status": "affected",
              "version": "6.2.10"
            },
            {
              "status": "affected",
              "version": "6.2.11"
            },
            {
              "status": "affected",
              "version": "6.2.12"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "analyst",
          "value": "JTZ- (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in Muyun DedeBIZ up to 6.2.12 and classified as critical. Affected by this issue is some unknown functionality of the component Add Attachment Handler. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249368. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."
        },
        {
          "lang": "de",
          "value": "Eine Schwachstelle wurde in Muyun DedeBIZ bis 6.2.12 gefunden. Sie wurde als kritisch eingestuft. Betroffen davon ist ein unbekannter Prozess der Komponente Add Attachment Handler. Durch das Beeinflussen mit unbekannten Daten kann eine unrestricted upload-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.7,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 4.7,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 5.8,
            "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434 Unrestricted Upload",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-30T18:00:05.216Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://vuldb.com/?id.249368"
        },
        {
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.249368"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/JTZ-a/SRC/blob/master/DedeBIZ/DedeBIZ%20-%20file%20upload/README.md"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-12-29T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2023-12-29T01:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2023-12-29T23:25:02.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Muyun DedeBIZ Add Attachment unrestricted upload"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2023-7181",
    "datePublished": "2023-12-30T18:00:05.216Z",
    "dateReserved": "2023-12-29T22:19:46.703Z",
    "dateUpdated": "2024-11-20T16:54:58.291Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-7159 (GCVE-0-2023-7159)

Vulnerability from cvelistv5 – Published: 2023-12-29 07:00 – Updated: 2024-08-02 08:50
VLAI
Title
gopeak MasterLab User.php update unrestricted upload
Summary
A vulnerability was found in gopeak MasterLab up to 3.3.10. It has been declared as critical. Affected by this vulnerability is the function add/update of the file app/ctrl/admin/User.php. The manipulation of the argument avatar leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249181 was assigned to this vulnerability.
CWE
Assigner
References
URL Tags
https://vuldb.com/?id.249181 vdb-entrytechnical-description
https://vuldb.com/?ctiid.249181 signaturepermissions-required
https://note.zhaoj.in/share/jNbywlXI46HV broken-linkexploit
https://note.zhaoj.in/share/FE79uijyqmG7 broken-link
Impacted products
Vendor Product Version
gopeak MasterLab Affected: 3.3.0
Affected: 3.3.1
Affected: 3.3.2
Affected: 3.3.3
Affected: 3.3.4
Affected: 3.3.5
Affected: 3.3.6
Affected: 3.3.7
Affected: 3.3.8
Affected: 3.3.9
Affected: 3.3.10
Create a notification for this product.
Credits
glzjin (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T08:50:08.272Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "technical-description",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?id.249181"
          },
          {
            "tags": [
              "signature",
              "permissions-required",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?ctiid.249181"
          },
          {
            "tags": [
              "broken-link",
              "exploit",
              "x_transferred"
            ],
            "url": "https://note.zhaoj.in/share/jNbywlXI46HV"
          },
          {
            "tags": [
              "broken-link",
              "x_transferred"
            ],
            "url": "https://note.zhaoj.in/share/FE79uijyqmG7"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "MasterLab",
          "vendor": "gopeak",
          "versions": [
            {
              "status": "affected",
              "version": "3.3.0"
            },
            {
              "status": "affected",
              "version": "3.3.1"
            },
            {
              "status": "affected",
              "version": "3.3.2"
            },
            {
              "status": "affected",
              "version": "3.3.3"
            },
            {
              "status": "affected",
              "version": "3.3.4"
            },
            {
              "status": "affected",
              "version": "3.3.5"
            },
            {
              "status": "affected",
              "version": "3.3.6"
            },
            {
              "status": "affected",
              "version": "3.3.7"
            },
            {
              "status": "affected",
              "version": "3.3.8"
            },
            {
              "status": "affected",
              "version": "3.3.9"
            },
            {
              "status": "affected",
              "version": "3.3.10"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "glzjin (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in gopeak MasterLab up to 3.3.10. It has been declared as critical. Affected by this vulnerability is the function add/update of the file app/ctrl/admin/User.php. The manipulation of the argument avatar leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249181 was assigned to this vulnerability."
        },
        {
          "lang": "de",
          "value": "In gopeak MasterLab bis 3.3.10 wurde eine kritische Schwachstelle ausgemacht. Das betrifft die Funktion add/update der Datei app/ctrl/admin/User.php. Durch das Beeinflussen des Arguments avatar mit unbekannten Daten kann eine unrestricted upload-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.7,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 4.7,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 5.8,
            "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434 Unrestricted Upload",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-02-13T07:30:50.274Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.249181"
        },
        {
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.249181"
        },
        {
          "tags": [
            "broken-link",
            "exploit"
          ],
          "url": "https://note.zhaoj.in/share/jNbywlXI46HV"
        },
        {
          "tags": [
            "broken-link"
          ],
          "url": "https://note.zhaoj.in/share/FE79uijyqmG7"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-12-28T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2023-12-28T00:00:00.000Z",
          "value": "CVE reserved"
        },
        {
          "lang": "en",
          "time": "2023-12-28T01:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2024-01-20T13:18:23.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "gopeak MasterLab User.php update unrestricted upload"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2023-7159",
    "datePublished": "2023-12-29T07:00:05.537Z",
    "dateReserved": "2023-12-28T14:39:02.258Z",
    "dateUpdated": "2024-08-02T08:50:08.272Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Mitigation
Architecture and Design

Generate a new, unique filename for an uploaded file instead of using the user-supplied filename, so that no external input is used at all.[REF-422] [REF-423]

Mitigation MIT-21
Architecture and Design

Strategy: Enforcement by Conversion

When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.

Mitigation
Architecture and Design

Consider storing the uploaded files outside of the web document root entirely. Then, use other mechanisms to deliver the files dynamically. [REF-423]

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • For example, limiting filenames to alphanumeric characters can help to restrict the introduction of unintended file extensions.
Mitigation
Architecture and Design

Define a very limited set of allowable extensions and only generate filenames that end in these extensions. Consider the possibility of XSS (CWE-79) before allowing .html or .htm file types.

Mitigation
Implementation

Strategy: Input Validation

Ensure that only one extension is used in the filename. Some web servers, including some versions of Apache, may process files based on inner extensions so that "filename.php.gif" is fed to the PHP interpreter.[REF-422] [REF-423]

Mitigation
Implementation

When running on a web server that supports case-insensitive filenames, perform case-insensitive evaluations of the extensions that are provided.

Mitigation MIT-15
Architecture and Design

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Mitigation
Implementation

Do not rely exclusively on sanity checks of file contents to ensure that the file is of the expected type and size. It may be possible for an attacker to hide code in some file segments that will still be executed by the server. For example, GIF images may contain a free-form comments field.

Mitigation
Implementation

Do not rely exclusively on the MIME content type or filename attribute when determining how to render a file. Validating the MIME content type and ensuring that it matches the extension is only a partial solution.

Mitigation MIT-17
Architecture and Design Operation

Strategy: Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

Mitigation MIT-22
Architecture and Design Operation

Strategy: Sandbox or Jail

  • Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software.
  • OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations.
  • This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise.
  • Be careful to avoid CWE-243 and other weaknesses related to jails.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.