Title | Guns-Medical 1.0 Arbitrary File Upload |
---|
Description | There is no validation on file types, allowing attackers to upload malicious files. By directly saving the original file extension using ToolUtil.getFileSuffix(picture.getOriginalFilename()), it is possible to upload a malicious HTML file that triggers XSS when accessed. |
---|
Source | ⚠️ https://github.com/Poco-z/Guns-Medical/issues/15 |
---|
User | susu199 (UID 76394) |
---|
Submission | 10/20/2024 05:03 AM (2 months ago) |
---|
Moderation | 10/26/2024 09:29 AM (6 days later) |
---|
Status | Accepted |
---|
VulDB Entry | 281941 [Poco-z Guns-Medical 1.0 File Upload /mgr/upload picture cross site scripting] |
---|
Points | 18 |
---|