| Título | Harry Yu MoneyPrinterTurbo v1.2.6 Incomplete Identification of Uploaded File Variables |
|---|
| Descrição | app/controllers/v1/video.py:207-223 / upload_bgm_file: This function only checks if the file extension is '.mp3' and does not verify the actual content type of the file. This allows attackers to upload files with an '.mp3' extension that contain malicious content. Additionally, there is no file size limit, which could lead to exhaustion of storage resources. Furthermore, files are saved directly using their original filenames without sanitization, potentially allowing attackers to overwrite critical system files. |
|---|
| Utilizador | zhangjx (UID 87395) |
|---|
| Submissão | 04/07/2025 06h31 (há 12 meses) |
|---|
| Moderação | 19/07/2025 13h19 (15 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 317010 [harry0703 MoneyPrinterTurbo até 1.2.6 File Extension video.py upload_bgm_file Ficheiro Elevação de Privilégios] |
|---|
| Pontos | 17 |
|---|