| タイトル | Harry Yu MoneyPrinterTurbo v1.2.6 Incomplete Identification of Uploaded File Variables |
|---|
| 説明 | app/controllers/v1/video.py:207-223 / upload_bgm_file: This function only checks if the file extension is '.mp3' and does not verify the actual content type of the file. This allows attackers to upload files with an '.mp3' extension that contain malicious content. Additionally, there is no file size limit, which could lead to exhaustion of storage resources. Furthermore, files are saved directly using their original filenames without sanitization, potentially allowing attackers to overwrite critical system files. |
|---|
| ユーザー | zhangjx (UID 87395) |
|---|
| 送信 | 2025年07月04日 06:31 (12 月 ago) |
|---|
| モデレーション | 2025年07月19日 13:19 (15 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 317010 [harry0703 MoneyPrinterTurbo 迄 1.2.6 File Extension video.py upload_bgm_file ファイル 特権昇格] |
|---|
| ポイント | 17 |
|---|