Name of the Vulnerable Software and Affected Versions: Flow versions 3.0.0 Flow versions 2.3.0 through 2.3.6

Description: The issue allows for arbitrary file uploads, including server-side scripts, which poses a risk of various attacks, such as information disclosure, placement of backdoors, and data removal. The upload of files is only possible if the application built on Flow provides means to do so, and the risk depends on the system setup. If uploaded script files are not executed by the server, there is no risk. Additionally, a potential XML External Entity processing vulnerability has been discovered in the MediaTypeConverter.

Recommendations: For Flow version 3.0.0, consider restricting file uploads to prevent the execution of server-side scripts until a patch is available. For Flow versions 2.3.0 through 2.3.6, consider disabling the MediaTypeConverter to prevent XML External Entity processing vulnerabilities until a patch is available. As a temporary workaround, ensure that uploaded script files are not executed by the server to minimize the risk of exploitation.