fkie_cve-2025-28168
Vulnerability from fkie_nvd
Published
2025-05-05 14:15
Modified
2025-08-26 20:15
Severity ?
Summary
The Multiple File Upload add-on component 3.1.0 for OutSystems is vulnerable to Unrestricted File Upload. This occurs because file extension and size validations are enforced solely on the client side. An attacker can intercept the upload request and modify a parameter to bypass extension restrictions and upload arbitrary files. NOTE: this is a third-party component that is not supplied or supported by OutSystems.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| multiple_file_upload_project | multiple_file_upload | 3.1.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:multiple_file_upload_project:multiple_file_upload:3.1.0:*:*:*:*:outsystems:*:*",
"matchCriteriaId": "7FC6134C-BD60-43D3-A3C7-C2FB4740B03D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Multiple File Upload add-on component 3.1.0 for OutSystems is vulnerable to Unrestricted File Upload. This occurs because file extension and size validations are enforced solely on the client side. An attacker can intercept the upload request and modify a parameter to bypass extension restrictions and upload arbitrary files. NOTE: this is a third-party component that is not supplied or supported by OutSystems."
},
{
"lang": "es",
"value": "La versi\u00f3n anterior a la 3.1.0 de Outsystems Multiple File Upload es vulnerable a la carga de archivos sin restricciones. Esta vulnerabilidad se debe a que las validaciones de extensi\u00f3n y tama\u00f1o de archivo se aplican \u00fanicamente en el lado del cliente. Un atacante puede interceptar la solicitud de carga y modificar el par\u00e1metro para eludir las restricciones de extensi\u00f3n y cargar archivos arbitrarios."
}
],
"id": "CVE-2025-28168",
"lastModified": "2025-08-26T20:15:39.240",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 2.7,
"source": "cve@mitre.org",
"type": "Secondary"
}
]
},
"published": "2025-05-05T14:15:28.500",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://gist.github.com/IamLeandrooooo/01090be3023f5e7c7397bb9b1f5505b9"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.outsystems.com/forge/component-overview/200/multiple-file-upload-o11"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-602"
}
],
"source": "cve@mitre.org",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…