CVE-2020-5237

Name of the Vulnerable Software and Affected Versions oneup/uploader-bundle versions 1.9.0 through 1.9.2 oneup/uploader-bundle versions 2.0.0 through 2.1.4

Description The issue allows remote attackers to upload, copy, and modify files on the filesystem, potentially leading to arbitrary code execution. This is achieved via various parameters in different controllers, such as the filename parameter to BlueimpController.php, the dzchunkindex, dzuuid, or filename parameter to DropzoneController.php, the qqpartindex, qqfilename, or qquuid parameter to FineUploaderController.php, the x-file-id or x-file-name parameter to MooUploadController.php, or the name or chunk parameter to PluploadController.php. The vulnerability can be exploited by any users with legitimate access to the upload functionality and can lead to arbitrary code execution, denial of service, and disclosure of confidential information.

Recommendations For oneup/uploader-bundle versions 1.9.0 through 1.9.2, update to version 1.9.3. For oneup/uploader-bundle versions 2.0.0 through 2.1.4, update to version 2.1.5. As a temporary workaround, consider restricting access to the upload functionality until a patch is applied. Avoid using the vulnerable parameters, such as filename, dzchunkindex, dzuuid, qqpartindex, qqfilename, qquuid, x-file-id, x-file-name, name, and chunk, in the affected API endpoints until the issue is resolved.