354 – Insecure file upload - Files Limit

Description

There is no limit to the number of files that can be uploaded to the system per unit of time, and uploading a new one does not delete the previous one from the server.

Impact

Upload large numbers of files over the upload limit size one after another, using up server storage resources indiscriminately.

Recommendation

Delete previous avatar files when uploading a new one, apply throttling.

Threat

Attacker from the Internet with valid session token to upload files.

Expected Remediation Time

45 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: L
• Attack Requirements: N
• Privileges required: L
• User interaction: N
• Confidentiality (VC): N
• Integrity (VI): L
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Requirements

• 040 - Compare file format and extension
• 041 - Scan files for malicious code

Fixes

• Csharp
• Dart
• Elixir
• Go
• Java
• Php
• Python
• Ruby
• Scala
• Typescript

Last updated

2024/02/20