CVE-2025-28168

Опубликовано: 05 мая 2025

Источник: nvd

CVSS3: 6.4

CVSS3: 9.8

EPSS Низкий

Описание

The Multiple File Upload add-on component 3.1.0 for OutSystems is vulnerable to Unrestricted File Upload. This occurs because file extension and size validations are enforced solely on the client side. An attacker can intercept the upload request and modify a parameter to bypass extension restrictions and upload arbitrary files. NOTE: this is a third-party component that is not supplied or supported by OutSystems.

Ссылки

https://gist.github.com/IamLeandrooooo/01090be3023f5e7c7397bb9b1f5505b9
Third Party Advisory
https://www.outsystems.com/forge/component-overview/200/multiple-file-upload-o11
Product

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:multiple_file_upload_project:multiple_file_upload:3.1.0:*:*:*:*:outsystems:*:*

EPSS

Процентиль: 15%

0.00047

Низкий

6.4 Medium

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-602

CWE-434

Связанные уязвимости

GHSA-x9rr-xwxc-jcjf

CVSS3: 4.3

github

9 месяцев назад

Outsystems Multiple File Upload < 3.1.0 is vulnerable to Unrestricted File Upload. The vulnerability is because file extension and size validations are enforced solely on the client side. An attacker can intercept the upload request and modify the parameter to bypass extension restrictions and upload arbitrary files.

EPSS

Процентиль: 15%

0.00047

Низкий

6.4 Medium

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-602

CWE-434