Michele Di Stefano

**Name of the Vulnerable Software and Affected Versions** plupload versions prior to 2.3.9 **Description** The issue allows an attacker to upload a file with a name containing JavaScript code, which could then be executed. This would require the attacker to trick a user into uploading such a file. There is no information provided about the estimated number of potentially affected devices or real-world incidents where this issue was exploited. **Recommendations** For versions prior to 2.3.9, update to version 2.3.9 or later to resolve the issue. As a temporary workaround, consider restricting file uploads to prevent the execution of JavaScript code until a patch is applied. Avoid allowing users to upload files with names containing JavaScript code in the affected plupload package.

**Name of the Vulnerable Software and Affected Versions** pekeupload (affected versions not specified) **Description** The issue allows an attacker to execute javascript code if a user is induced to upload a file with a name containing the code. This is achieved by exploiting the file upload functionality, where the filename is not properly sanitized, allowing the execution of javascript code contained within the filename. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** file-upload-with-preview versions prior to 4.2.0 **Description** The issue allows a file containing malicious JavaScript code in its name to be uploaded, but this requires a user to be tricked into uploading such a file. **Recommendations** For versions prior to 4.2.0, update to version 4.2.0 or later to resolve the issue.