CVE-2023-52086
Severity CVSS v4.0:
Pending analysis
Type:
CWE-434
Unrestricted Upload of File with Dangerous Type
Publication date:
26/12/2023
Last modified:
04/01/2024
Description
resumable.php (aka PHP backend for resumable.js) 0.1.4 before 3c6dbf5 allows arbitrary file upload anywhere in the filesystem via ../ in multipart/form-data content to upload.php. (File overwrite hasn't been possible with the code available in GitHub in recent years, however.)
Impact
Base Score 3.x
8.10
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:startutorial:php_backend_for_resumable.js:0.1.4:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/dilab/resumable.php/commit/3c6dbf5170b01cbb712013c7d0a83f5aac45653b
- https://github.com/dilab/resumable.php/issues/34
- https://github.com/dilab/resumable.php/pull/27/commits/3e3c94d0302bb399a7611b4738a5a4dd0832a926
- https://github.com/dilab/resumable.php/pull/39/commits/408f54dff10e48befa44d417933787232a64304b
- https://github.com/dilab/resumable.php/pull/39/commits/d3552efd403e2d87407934477eee642836cab3b4