| शीर्षक | fastapiadmin <= 2.2.0 Unrestricted Upload |
|---|
| विवरण | An unrestricted file upload vulnerability in FastapiAdmin (≤ 2.2.0) at /api/v1/common/file/upload allows authenticated users with the module_common:file:upload permission to write arbitrary files to the server filesystem and, when combined with the scheduled task APIs, achieve remote code execution; the upload routine trusts the Content-Type header to infer allowed extensions, does not validate or canonicalize file paths, and writes files directly under the upload directory, enabling attackers to bypass extension checks (e.g., upload a Python script disguised as an SVG), persist it, and trigger execution via task scheduling. Mitigations include enforcing server-side content inspection (validate file magic bytes), deriving extensions from content not headers, normalizing and restricting saved paths to a safe upload directory with no execute permissions, generating safe randomized filenames, imposing strict allowlists for upload types, scanning uploads for dangerous content, and requiring least-privilege access controls and audit logging for upload and task APIs. |
|---|
| स्रोत | ⚠️ https://github.com/CC-T-454455/Vulnerabilities/tree/master/fastapi-admin/vulnerability-3 |
|---|
| उपयोगकर्ता | Anonymous User |
|---|
| सबमिशन | 11/02/2026 09:57 AM (3 महीनों पहले) |
|---|
| संयम | 22/02/2026 04:09 PM (11 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 347361 [FastApiAdmin तक 2.2.0 Scheduled Task API controller.py upload_controller अधिकार वृद्धि] |
|---|
| अंक | 20 |
|---|