Name of the Vulnerable Software and Affected Versions Flow versions 3.0.0 Flow versions 2.3.0 through 2.3.6

Description The issue allows for arbitrary file uploads, including server-side scripts, which poses a risk of various attacks such as information disclosure, placement of backdoors, and data removal. This is possible if the application built on Flow provides means for file uploads and the uploaded script files are executed by the server. The risk is dependent on the system setup.

Recommendations For Flow version 3.0.0, consider restricting file uploads or ensuring that uploaded files are not executed by the server as a temporary mitigation measure. For Flow versions 2.3.0 through 2.3.6, consider disabling the MediaTypeConverter function to prevent potential XML External Entity processing vulnerabilities until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.