Vulnerabilites related to multiple_file_upload_project - multiple_file_upload
Vulnerability from fkie_nvd
Published
2025-05-05 14:15
Modified
2025-08-26 20:15
Severity ?
Summary
The Multiple File Upload add-on component 3.1.0 for OutSystems is vulnerable to Unrestricted File Upload. This occurs because file extension and size validations are enforced solely on the client side. An attacker can intercept the upload request and modify a parameter to bypass extension restrictions and upload arbitrary files. NOTE: this is a third-party component that is not supplied or supported by OutSystems.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| multiple_file_upload_project | multiple_file_upload | 3.1.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:multiple_file_upload_project:multiple_file_upload:3.1.0:*:*:*:*:outsystems:*:*",
"matchCriteriaId": "7FC6134C-BD60-43D3-A3C7-C2FB4740B03D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Multiple File Upload add-on component 3.1.0 for OutSystems is vulnerable to Unrestricted File Upload. This occurs because file extension and size validations are enforced solely on the client side. An attacker can intercept the upload request and modify a parameter to bypass extension restrictions and upload arbitrary files. NOTE: this is a third-party component that is not supplied or supported by OutSystems."
},
{
"lang": "es",
"value": "La versi\u00f3n anterior a la 3.1.0 de Outsystems Multiple File Upload es vulnerable a la carga de archivos sin restricciones. Esta vulnerabilidad se debe a que las validaciones de extensi\u00f3n y tama\u00f1o de archivo se aplican \u00fanicamente en el lado del cliente. Un atacante puede interceptar la solicitud de carga y modificar el par\u00e1metro para eludir las restricciones de extensi\u00f3n y cargar archivos arbitrarios."
}
],
"id": "CVE-2025-28168",
"lastModified": "2025-08-26T20:15:39.240",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 2.7,
"source": "cve@mitre.org",
"type": "Secondary"
}
]
},
"published": "2025-05-05T14:15:28.500",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://gist.github.com/IamLeandrooooo/01090be3023f5e7c7397bb9b1f5505b9"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.outsystems.com/forge/component-overview/200/multiple-file-upload-o11"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-602"
}
],
"source": "cve@mitre.org",
"type": "Primary"
}
]
}
CVE-2025-28168 (GCVE-0-2025-28168)
Vulnerability from cvelistv5
Published
2025-05-05 00:00
Modified
2025-08-26 19:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-602 - Client-Side Enforcement of Server-Side Security
Summary
The Multiple File Upload add-on component 3.1.0 for OutSystems is vulnerable to Unrestricted File Upload. This occurs because file extension and size validations are enforced solely on the client side. An attacker can intercept the upload request and modify a parameter to bypass extension restrictions and upload arbitrary files. NOTE: this is a third-party component that is not supplied or supported by OutSystems.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Multi Uploaders | Multiple File Upload |
Version: 0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-28168",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-05T17:37:40.325479Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-26T19:27:57.951Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Multiple File Upload",
"vendor": "Multi Uploaders",
"versions": [
{
"lessThan": "3.1.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Multiple File Upload add-on component 3.1.0 for OutSystems is vulnerable to Unrestricted File Upload. This occurs because file extension and size validations are enforced solely on the client side. An attacker can intercept the upload request and modify a parameter to bypass extension restrictions and upload arbitrary files. NOTE: this is a third-party component that is not supplied or supported by OutSystems."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-602",
"description": "CWE-602 Client-Side Enforcement of Server-Side Security",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-08T17:45:22.186Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.outsystems.com/forge/component-overview/200/multiple-file-upload-o11"
},
{
"url": "https://gist.github.com/IamLeandrooooo/01090be3023f5e7c7397bb9b1f5505b9"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-28168",
"datePublished": "2025-05-05T00:00:00.000Z",
"dateReserved": "2025-03-11T00:00:00.000Z",
"dateUpdated": "2025-08-26T19:27:57.951Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}