Liamsystems

Name of the Vulnerable Software and Affected Versions Hytale versions 1.2.0 and prior Description The Hytale Modding Wiki allows server-side code execution through the `quickUpload()` API endpoint. The endpoint validates uploaded files by checking their MIME type using PHP's `finfo` function, which inspects file contents. However, the stored filename is constructed using the client-supplied file extension from `getClientOriginalExtension()`. These checks are independent, allowing an attacker to upload a file with content that passes the MIME allowlist but uses a .php extension. The file is stored on the public disk and is directly accessible via URL. Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Hytale Modding Wiki versions prior to 1.0.0 **Description** An Insecure Direct Object Reference (IDOR) exists in the Hytale Modding Wiki. This allows any authenticated user to access personal information of mod authors, including their full names and email addresses, by visiting a mod page through its slug. The issue affects versions of the wiki prior to version 1.0.0. **Recommendations** Update to version 1.0.0 or later.