As a simple library, class.upload.php does not perform an in-depth check on uploaded files, allowing a stored XSS vulnerability when the default configuration is used.
Developers must be aware of that fact and use extension whitelisting accompanied by forcing the server to always provide content-type based on the file extension.
The README has been updated to include these guidelines.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: CERT-PL
Published: 2024-01-04T16:04:34.995Z
Updated: 2024-08-02T08:35:14.672Z
Reserved: 2023-12-06T11:18:59.869Z
Link: CVE-2023-6551
Vulnrichment
No data.
NVD
Status : Analyzed
Published: 2024-01-04T16:15:09.380
Modified: 2024-01-11T16:41:19.250
Link: CVE-2023-6551
Redhat
No data.