External control of file name or path
Description
It is possible to modify the path to which an uploaded file will be saved.
Impact
- Save files in paths other than those expected by the application. - Overwrite important files within the system by referring to the path where the upload is performed.
Recommendation
Validate uploaded files names on the system and restrict the storage to destined folders only.
Threat
Anonymous attacker from external network.
Expected Remediation Time
⏱️ 30 minutes.
Score
Default score using CVSS 4.0. It may change depending on the context of the src.
Base 4.0
Attack vector
N
Attack complexity
H
Attack requirements
N
Privileges required
L
User interaction
N
Confidentiality (VC)
N
Integrity (VI)
L
Availability (VA)
N
Confidentiality (SC)
N
Integrity (SI)
N
Availability (SA)
N
Threat 4.0
Exploit maturity
P
Vector string
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P