CVE-2021-33199

Name of the Vulnerable Software and Affected Versions Expression Engine versions prior to 6.0.3

Description The issue exists due to insufficient input validation in Expression Engine. This allows a remote attacker to impact the confidentiality, integrity, and availability of protected information. The addonIcon in Addons/file/mod.file.php relies on the untrusted input value of input->get('file') instead of the fixed file names of icon.png and icon.svg.

Recommendations For versions prior to 6.0.3, update to version 6.0.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the mod.file.php module to minimize the risk of exploitation. Avoid using the input->get('file') variable in the affected API endpoint until the issue is resolved.