Common Weakness Enumeration

CWE-434

Allowed

Unrestricted Upload of File with Dangerous Type

Abstraction: Base · Status: Draft

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

5971 vulnerabilities reference this CWE, most recent first.

GHSA-QXVG-H7Q2-HCXH

Vulnerability from github – Published: 2026-06-23 18:53 – Updated: 2026-06-23 18:53
VLAI
Summary
motionEye: LFI → pass‑the‑hash admin → unsafe restore → unauth action exec (RCE)
Details

Summary

A multi‑stage chain in motionEye leads to remote code execution. The chain combines:

  1. Arbitrary file read (LFI) via the picture download endpoint for local motion cameras using absolute paths.
  2. Pass‑the‑hash admin auth due to accepting request signatures computed with password hashes.
  3. Unsafe config restore that extracts attacker‑controlled tarballs into CONF_PATH.
  4. Unauthenticated action execution via /action/<id>/<action>.

If the normal user password is unset, the chain becomes unauthenticated RCE. If a normal password exists, a normal user can still achieve admin escalation and RCE.


Affected Code (motionEye repo)

1) LFI (absolute path) — picture/<id>/download

Files: - motioneye/motioneye/handlers/picture.pydownload() (local motion camera branch) - motioneye/motioneye/mediafiles.pyget_media_content()

Issue: get_media_content() only blocks .. and then joins target_dir with path. Absolute paths (e.g. /etc/hosts) bypass the join and are read directly.

2) Pass‑the‑hash admin auth

File: motioneye/motioneye/handlers/base.pyget_current_user()

Issue: The signature check allows signatures computed using the admin password hash (SHA1) as the key. If the hash is leaked (via LFI), admin access can be obtained without the plaintext password.

3) Unsafe restore (tar extraction)

File: motioneye/motioneye/config.pyrestore()

Issue: tar zxC CONF_PATH is used on user‑supplied data without sanitizing entries. A crafted tar can drop executable files into CONF_PATH.

4) Unauthenticated action execution

File: motioneye/motioneye/handlers/action.pypost()

Issue: No authentication decorator is present. It executes <action>_<camera_id> found in CONF_PATH with subprocess.Popen.


Exploit Chain (Detailed)

  1. Create or find a local motion camera id (local motion cameras are required for the vulnerable LFI path).
  2. LFI via picture download:
  3. Request: /picture/<id>/download/<absolute_path>
  4. Example: /picture/1/download/%2Fetc%2Fhosts
  5. Result: Arbitrary file read.
  6. Read admin hash from /etc/motioneye/motion.conf:
  7. Contains @admin_password <SHA1_HASH>.
  8. Pass‑the‑hash admin:
  9. Compute signature for /config/restore?_username=admin using the hash as key.
  10. Admin access is accepted with hash‑based signatures.
  11. Restore malicious tar:
  12. Upload a tar containing lock_<id> (or any action) as an executable.
  13. File is written into CONF_PATH by restore.
  14. Trigger unauth action:
  15. POST /action/<id>/lock
  16. The server executes the injected file.

Proof of Execution (Observed Output)

In local testing, the injected action created a marker file:

/tmp/meye_rce_ok

Verification command:

docker exec -it motioneye ls -la /tmp | grep meye_rce_ok

Example output:

-rw-r--r-- 1 root root 0 ... /tmp/meye_rce_ok

Preconditions / Requirements

  • At least one local motion camera exists (e.g., netcam_url, videodevice).
  • picture/<id>/download is reachable:
  • Unauth if @normal_password is empty (default in some installs).
  • Auth required if normal password is set (attacker needs normal creds).

Impact

  • Unauth RCE (normal password unset).
  • Authenticated RCE (normal user → admin → RCE).
  • Arbitrary file read on server filesystem.
  • Full compromise of motionEye process account.

Suggested Fixes

  1. Block absolute paths in get_media_content() and get_media_path().
  2. Remove hash‑based signature acceptance; only accept signatures computed with plaintext passwords.
  3. Harden restore: reject absolute paths, .., symlinks, non‑regular files.
  4. Require authentication on ActionHandler (admin‑only).
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "motioneye"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.44.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-269",
      "CWE-306",
      "CWE-347",
      "CWE-434"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-23T18:53:04Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "## Summary\nA multi\u2011stage chain in motionEye leads to remote code execution. The chain combines:\n\n1. **Arbitrary file read (LFI)** via the picture download endpoint for **local motion cameras** using absolute paths.\n2. **Pass\u2011the\u2011hash admin auth** due to accepting request signatures computed with password hashes.\n3. **Unsafe config restore** that extracts attacker\u2011controlled tarballs into `CONF_PATH`.\n4. **Unauthenticated action execution** via `/action/\u003cid\u003e/\u003caction\u003e`.\n\nIf the **normal user password is unset**, the chain becomes **unauthenticated RCE**. If a normal password exists, a **normal user** can still achieve **admin escalation and RCE**.\n\n---\n\n## Affected Code (motionEye repo)\n\n### 1) LFI (absolute path) \u2014 `picture/\u003cid\u003e/download`\n**Files:**\n- `motioneye/motioneye/handlers/picture.py` \u2192 `download()` (local motion camera branch)\n- `motioneye/motioneye/mediafiles.py` \u2192 `get_media_content()`\n\n**Issue:** `get_media_content()` only blocks `..` and then joins `target_dir` with `path`. Absolute paths (e.g. `/etc/hosts`) bypass the join and are read directly.\n\n### 2) Pass\u2011the\u2011hash admin auth\n**File:** `motioneye/motioneye/handlers/base.py` \u2192 `get_current_user()`\n\n**Issue:** The signature check allows signatures computed using the **admin password hash** (SHA1) as the key. If the hash is leaked (via LFI), admin access can be obtained without the plaintext password.\n\n### 3) Unsafe restore (tar extraction)\n**File:** `motioneye/motioneye/config.py` \u2192 `restore()`\n\n**Issue:** `tar zxC CONF_PATH` is used on user\u2011supplied data without sanitizing entries. A crafted tar can drop executable files into `CONF_PATH`.\n\n### 4) Unauthenticated action execution\n**File:** `motioneye/motioneye/handlers/action.py` \u2192 `post()`\n\n**Issue:** No authentication decorator is present. It executes `\u003caction\u003e_\u003ccamera_id\u003e` found in `CONF_PATH` with `subprocess.Popen`.\n\n---\n\n## Exploit Chain (Detailed)\n\n1. **Create or find a local motion camera id** (local motion cameras are required for the vulnerable LFI path).\n2. **LFI via picture download**:\n   - Request: `/picture/\u003cid\u003e/download/\u003cabsolute_path\u003e`\n   - Example: `/picture/1/download/%2Fetc%2Fhosts`\n   - Result: Arbitrary file read.\n3. **Read admin hash** from `/etc/motioneye/motion.conf`:\n   - Contains `@admin_password \u003cSHA1_HASH\u003e`.\n4. **Pass\u2011the\u2011hash admin**:\n   - Compute signature for `/config/restore?_username=admin` using the **hash** as key.\n   - Admin access is accepted with hash\u2011based signatures.\n5. **Restore malicious tar**:\n   - Upload a tar containing `lock_\u003cid\u003e` (or any action) as an executable.\n   - File is written into `CONF_PATH` by restore.\n6. **Trigger unauth action**:\n   - POST `/action/\u003cid\u003e/lock`\n   - The server executes the injected file.\n\n---\n\n## Proof of Execution (Observed Output)\nIn local testing, the injected action created a marker file:\n\n```\n/tmp/meye_rce_ok\n```\n\nVerification command:\n```\ndocker exec -it motioneye ls -la /tmp | grep meye_rce_ok\n```\nExample output:\n```\n-rw-r--r-- 1 root root 0 ... /tmp/meye_rce_ok\n```\n\n---\n\n## Preconditions / Requirements\n\n- At least **one local motion camera** exists (e.g., `netcam_url`, `videodevice`).\n- `picture/\u003cid\u003e/download` is reachable:\n  - **Unauth** if `@normal_password` is empty (default in some installs).\n  - **Auth required** if normal password is set (attacker needs normal creds).\n\n---\n\n## Impact\n- **Unauth RCE** (normal password unset).\n- **Authenticated RCE** (normal user \u2192 admin \u2192 RCE).\n- Arbitrary file read on server filesystem.\n- Full compromise of motionEye process account.\n\n---\n\n## Suggested Fixes\n1. **Block absolute paths** in `get_media_content()` and `get_media_path()`.\n2. **Remove hash\u2011based signature acceptance**; only accept signatures computed with plaintext passwords.\n3. **Harden restore**: reject absolute paths, `..`, symlinks, non\u2011regular files.\n4. **Require authentication** on `ActionHandler` (admin\u2011only).",
  "id": "GHSA-qxvg-h7q2-hcxh",
  "modified": "2026-06-23T18:53:04Z",
  "published": "2026-06-23T18:53:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/motioneye-project/motioneye/security/advisories/GHSA-qxvg-h7q2-hcxh"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/motioneye-project/motioneye"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "motionEye: LFI \u2192 pass\u2011the\u2011hash admin \u2192 unsafe restore \u2192 unauth action exec (RCE)"
}

GHSA-QXWC-277H-58RW

Vulnerability from github – Published: 2022-10-12 12:00 – Updated: 2022-10-13 12:00
VLAI
Details

A vulnerability has been found in SourceCodester Human Resource Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /employeeview.php of the component Image File Handler. The manipulation leads to unrestricted upload. The attack can be launched remotely. The associated identifier of this vulnerability is VDB-210559.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3458"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266",
      "CWE-284",
      "CWE-434"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-12T07:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability has been found in SourceCodester Human Resource Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /employeeview.php of the component Image File Handler. The manipulation leads to unrestricted upload. The attack can be launched remotely. The associated identifier of this vulnerability is VDB-210559.",
  "id": "GHSA-qxwc-277h-58rw",
  "modified": "2022-10-13T12:00:26Z",
  "published": "2022-10-12T12:00:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3458"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.210559"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QXX8-X6C8-JHVR

Vulnerability from github – Published: 2026-06-25 21:31 – Updated: 2026-06-25 21:31
VLAI
Details

Unrestricted Upload of File with Dangerous Type vulnerability in Daan.Dev OMGF Pro allows Using Malicious Files.

This issue affects OMGF Pro: from n/a through 5.2.6.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-57700"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-434"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-25T19:16:45Z",
    "severity": "CRITICAL"
  },
  "details": "Unrestricted Upload of File with Dangerous Type vulnerability in Daan.Dev OMGF Pro allows Using Malicious Files.\n\nThis issue affects OMGF Pro: from n/a through 5.2.6.",
  "id": "GHSA-qxx8-x6c8-jhvr",
  "modified": "2026-06-25T21:31:30Z",
  "published": "2026-06-25T21:31:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57700"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/host-google-fonts-pro/vulnerability/wordpress-omgf-pro-plugin-5-2-6-arbitrary-file-upload-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R26G-5XH6-PGWP

Vulnerability from github – Published: 2024-03-20 15:32 – Updated: 2026-04-08 21:32
VLAI
Details

The Management App for WooCommerce – Order notifications, Order management, Lead management, Uptime Monitoring plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the nouvello_upload_csv_file function in all versions up to, and including, 1.2.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-1205"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-434"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-20T07:15:09Z",
    "severity": "HIGH"
  },
  "details": "The Management App for WooCommerce \u2013 Order notifications, Order management, Lead management, Uptime Monitoring plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the nouvello_upload_csv_file function in all versions up to, and including, 1.2.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site\u0027s server which may make remote code execution possible.",
  "id": "GHSA-r26g-5xh6-pgwp",
  "modified": "2026-04-08T21:32:23Z",
  "published": "2024-03-20T15:32:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1205"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wemanage-app-worker/trunk/includes/class-nouvello-wemanage-worker-api-wc-ext-controller-functions.php#L982"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wemanage-app-worker/trunk/includes/class-nouvello-wemanage-worker-api-wc-ext-controller.php#L166"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3056070%40wemanage-app-worker\u0026new=3056070%40wemanage-app-worker\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3057589%40wemanage-app-worker\u0026new=3057589%40wemanage-app-worker\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a4219c10-9d2a-429d-9ac7-61efc02bd4cf?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R26W-F5JV-H3PR

Vulnerability from github – Published: 2022-05-24 19:18 – Updated: 2022-05-24 19:18
VLAI
Details

There are multiple API function codes that permit data writing to any file, which may allow an attacker to modify existing files or create new files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-38471"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-434"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-22T12:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "There are multiple API function codes that permit data writing to any file, which may allow an attacker to modify existing files or create new files.",
  "id": "GHSA-r26w-f5jv-h3pr",
  "modified": "2022-05-24T19:18:39Z",
  "published": "2022-05-24T19:18:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38471"
    },
    {
      "type": "WEB",
      "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-292-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-R2H3-J8V9-WX8V

Vulnerability from github – Published: 2026-03-06 15:31 – Updated: 2026-03-06 15:31
VLAI
Details

Precurio Intranet Portal 2.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative user accounts by submitting crafted POST requests. Attackers can forge requests to the /public/admin/user/submitnew endpoint with user creation parameters to add new admin accounts without requiring CSRF tokens or user interaction.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-25168"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-434"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-06T13:15:57Z",
    "severity": "MODERATE"
  },
  "details": "Precurio Intranet Portal 2.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative user accounts by submitting crafted POST requests. Attackers can forge requests to the /public/admin/user/submitnew endpoint with user creation parameters to add new admin accounts without requiring CSRF tokens or user interaction.",
  "id": "GHSA-r2h3-j8v9-wx8v",
  "modified": "2026-03-06T15:31:29Z",
  "published": "2026-03-06T15:31:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25168"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/45860"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/precurio-intranet-portal-cross-site-request-forgery-add-admin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-R2P5-4W5H-4HFC

Vulnerability from github – Published: 2025-02-12 15:32 – Updated: 2025-02-12 15:32
VLAI
Details

A CWE-434 "Unrestricted Upload of File with Dangerous Type" in the template file uploads in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to upload malicious files via crafted HTTP requests.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-26350"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-434"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-12T14:15:35Z",
    "severity": "MODERATE"
  },
  "details": "A CWE-434 \"Unrestricted Upload of File with Dangerous Type\" in the template file uploads in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to upload malicious files via crafted HTTP requests.",
  "id": "GHSA-r2p5-4w5h-4hfc",
  "modified": "2025-02-12T15:32:00Z",
  "published": "2025-02-12T15:32:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26350"
    },
    {
      "type": "WEB",
      "url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26350"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R2VJ-428G-V68V

Vulnerability from github – Published: 2023-10-20 09:30 – Updated: 2026-02-23 09:31
VLAI
Details

Insufficient blacklisting in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows

Remote Code Execution

via specific file types

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-5524"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-434"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-20T07:15:17Z",
    "severity": "HIGH"
  },
  "details": "Insufficient blacklisting in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows \n\nRemote Code Execution\n\n via specific file types",
  "id": "GHSA-r2vj-428g-v68v",
  "modified": "2026-02-23T09:31:18Z",
  "published": "2023-10-20T09:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5524"
    },
    {
      "type": "WEB",
      "url": "https://empower.m-files.com/security-advisories/CVE-2023-5524"
    },
    {
      "type": "WEB",
      "url": "https://product.m-files.com/security-advisories/cve-2023-5524"
    },
    {
      "type": "WEB",
      "url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2023-5524"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R2WM-99X8-326H

Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2022-05-24 19:10
VLAI
Details

An arbitrary file upload vulnerability in the move_uploaded_file() function of LJCMS v4.3 allows attackers to execute arbitrary code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-20979"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-434"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-12T15:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An arbitrary file upload vulnerability in the move_uploaded_file() function of LJCMS v4.3 allows attackers to execute arbitrary code.",
  "id": "GHSA-r2wm-99x8-326h",
  "modified": "2022-05-24T19:10:57Z",
  "published": "2022-05-24T19:10:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-20979"
    },
    {
      "type": "WEB",
      "url": "https://github.com/0xyu/PHP_Learning/issues/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-R2XX-Q7FF-W5P5

Vulnerability from github – Published: 2024-10-28 21:30 – Updated: 2026-04-01 18:32
VLAI
Details

Unrestricted Upload of File with Dangerous Type vulnerability in WidgiLabs Plugin Propagator allows Upload a Web Shell to a Web Server.This issue affects Plugin Propagator: from n/a through 0.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50495"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-434"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-28T21:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "Unrestricted Upload of File with Dangerous Type vulnerability in WidgiLabs Plugin Propagator allows Upload a Web Shell to a Web Server.This issue affects Plugin Propagator: from n/a through 0.1.",
  "id": "GHSA-r2xx-q7ff-w5p5",
  "modified": "2026-04-01T18:32:11Z",
  "published": "2024-10-28T21:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50495"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/wp-propagator/vulnerability/wordpress-plugin-propagator-plugin-0-1-arbitrary-file-upload-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/wp-propagator/wordpress-plugin-propagator-plugin-0-1-arbitrary-file-upload-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Generate a new, unique filename for an uploaded file instead of using the user-supplied filename, so that no external input is used at all.[REF-422] [REF-423]

Mitigation MIT-21
Architecture and Design

Strategy: Enforcement by Conversion

When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.

Mitigation
Architecture and Design

Consider storing the uploaded files outside of the web document root entirely. Then, use other mechanisms to deliver the files dynamically. [REF-423]

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • For example, limiting filenames to alphanumeric characters can help to restrict the introduction of unintended file extensions.
Mitigation
Architecture and Design

Define a very limited set of allowable extensions and only generate filenames that end in these extensions. Consider the possibility of XSS (CWE-79) before allowing .html or .htm file types.

Mitigation
Implementation

Strategy: Input Validation

Ensure that only one extension is used in the filename. Some web servers, including some versions of Apache, may process files based on inner extensions so that "filename.php.gif" is fed to the PHP interpreter.[REF-422] [REF-423]

Mitigation
Implementation

When running on a web server that supports case-insensitive filenames, perform case-insensitive evaluations of the extensions that are provided.

Mitigation MIT-15
Architecture and Design

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Mitigation
Implementation

Do not rely exclusively on sanity checks of file contents to ensure that the file is of the expected type and size. It may be possible for an attacker to hide code in some file segments that will still be executed by the server. For example, GIF images may contain a free-form comments field.

Mitigation
Implementation

Do not rely exclusively on the MIME content type or filename attribute when determining how to render a file. Validating the MIME content type and ensuring that it matches the extension is only a partial solution.

Mitigation MIT-17
Architecture and Design Operation

Strategy: Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

Mitigation MIT-22
Architecture and Design Operation

Strategy: Sandbox or Jail

  • Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software.
  • OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations.
  • This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise.
  • Be careful to avoid CWE-243 and other weaknesses related to jails.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.