| عنوان | Harry Yu MoneyPrinterTurbo v1.2.6 Incomplete Identification of Uploaded File Variables |
|---|
| الوصف | app/controllers/v1/video.py:207-223 / upload_bgm_file: This function only checks if the file extension is '.mp3' and does not verify the actual content type of the file. This allows attackers to upload files with an '.mp3' extension that contain malicious content. Additionally, there is no file size limit, which could lead to exhaustion of storage resources. Furthermore, files are saved directly using their original filenames without sanitization, potentially allowing attackers to overwrite critical system files. |
|---|
| المستخدم | zhangjx (UID 87395) |
|---|
| ارسال | 04/07/2025 06:31 AM (12 أشهر منذ) |
|---|
| الاعتدال | 19/07/2025 01:19 PM (15 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 317010 [harry0703 MoneyPrinterTurbo حتى 1.2.6 File Extension video.py upload_bgm_file ملف تجاوز الصلاحيات] |
|---|
| النقاط | 17 |
|---|