| Название | Harry Yu MoneyPrinterTurbo v1.2.6 Incomplete Identification of Uploaded File Variables |
|---|
| Описание | app/controllers/v1/video.py:207-223 / upload_bgm_file: This function only checks if the file extension is '.mp3' and does not verify the actual content type of the file. This allows attackers to upload files with an '.mp3' extension that contain malicious content. Additionally, there is no file size limit, which could lead to exhaustion of storage resources. Furthermore, files are saved directly using their original filenames without sanitization, potentially allowing attackers to overwrite critical system files. |
|---|
| Пользователь | zhangjx (UID 87395) |
|---|
| Представление | 04.07.2025 06:31 (12 месяцы назад) |
|---|
| Модерация | 19.07.2025 13:19 (15 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 317010 [harry0703 MoneyPrinterTurbo до 1.2.6 File Extension video.py upload_bgm_file Файл эскалация привилегий] |
|---|
| Баллы | 17 |
|---|