Luk Luk

**Name of the Vulnerable Software and Affected Versions** WSO2 products (affected versions not specified) **Description** An arbitrary file upload issue exists because of insufficient validation of filenames submitted by users in the BPEL uploader SOAP service endpoint. An attacker with administrative access can upload files to a location controlled by the user on the server. Exploiting this can allow an attacker to upload a malicious payload and achieve remote code execution (RCE), potentially compromising the server and its data. The vulnerable endpoint is '/services/bpel/upload'. The vulnerability involves improper handling of user-supplied filenames. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.