Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-434 (危险类型文件的不加限制上传) — Vulnerability Class 2041

2041 vulnerabilities classified as CWE-434 (危险类型文件的不加限制上传). AI Chinese analysis included.

CWE-434 represents a critical input validation weakness where applications permit the upload of file types that are inherently dangerous or automatically processed by the system. Attackers typically exploit this vulnerability by uploading malicious scripts, such as web shells or executable binaries, disguised as legitimate documents or images. Once uploaded, these files are executed by the server, granting the attacker remote code execution capabilities and potentially full system compromise. To mitigate this risk, developers must implement strict allowlists that define only the specific, safe file extensions permitted for upload. Additionally, files should be stored outside the web root directory to prevent direct execution, and content verification techniques, such as checking file headers rather than relying solely on extensions, should be employed to ensure integrity and prevent evasion of basic validation checks.

MITRE CWE Description
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Common Consequences (1)
Integrity, Confidentiality, AvailabilityExecute Unauthorized Code or Commands
Arbitrary code execution is possible if an uploaded file is interpreted and executed as code by the recipient. This is especially true for web-server extensions such as .asp and .php because these file types are often treated as automatically executable, even when file system permissions do not spec…
Mitigations (5)
Architecture and DesignGenerate a new, unique filename for an uploaded file instead of using the user-supplied filename, so that no external input is used at all.[REF-422] [REF-423]
Architecture and DesignWhen the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
Architecture and DesignConsider storing the uploaded files outside of the web document root entirely. Then, use other mechanisms to deliver the files dynamically. [REF-423]
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
Architecture and DesignDefine a very limited set of allowable extensions and only generate filenames that end in these extensions. Consider the possibility of XSS (CWE-79) before allowing .html or .htm file types.
Examples (2)
The following code intends to allow a user to upload a picture to the web server. The HTML code that drives the form on the user end has an input field of type "file".
<form action="upload_picture.php" method="post" enctype="multipart/form-data"> Choose a file to upload: <input type="file" name="filename"/> <br/> <input type="submit" name="submit" value="Submit"/> </form>
Good · HTML
// Define the target location where the picture being // uploaded is going to be saved. $target = "pictures/" . basename($_FILES['uploadedfile']['name']); // Move the uploaded file to the new location. if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target)) { echo "The picture has been successfully uploaded."; } else { echo "There was an error uploading the picture, please try again."; }
Bad · PHP
The following code demonstrates the unrestricted upload of a file with a Java servlet and a path traversal vulnerability. The action attribute of an HTML form is sending the upload file request to the Java servlet.
<form action="FileUploadServlet" method="post" enctype="multipart/form-data"> Choose a file to upload: <input type="file" name="filename"/> <br/> <input type="submit" name="submit" value="Submit"/> </form>
Good · HTML
public class FileUploadServlet extends HttpServlet { ... protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("text/html"); PrintWriter out = response.getWriter(); String contentType = request.getContentType(); // the starting position of the boundary header int ind = contentType.indexOf("boundary="); String boundary = contentType.substring(ind+9); String pLine = new String(); String uploadLocation = new String(UPLOAD_DIRECTORY_STRING); //Constant value // verify that content type is multipart form data i
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2024-10293 ZZCMS functions.php Ebak_SetGotoPak unrestricted upload — ZZCMS 6.3 Medium2024-10-23
CVE-2024-49652 WordPress 3D Work In Progress plugin <= 1.0.3 - Arbitrary File Upload vulnerability — 3D Work In Progress 9.9 Critical2024-10-23
CVE-2024-49653 WordPress Portfolleo plugin <= 1.2 - Arbitrary File Upload vulnerability — Portfolleo 9.9 Critical2024-10-23
CVE-2024-49658 WordPress Woocommerce Custom Profile Picture plugin <= 1.0 - Arbitrary File Upload vulnerability — Woocommerce Custom Profile Picture 9.9 Critical2024-10-23
CVE-2024-49668 WordPress Verbalize WP plugin <= 1.0 - Arbitrary File Upload vulnerability — Verbalize WP 10.0 Critical2024-10-23
CVE-2024-49669 WordPress INK Official plugin <= 4.1.2 - Arbitrary File Upload vulnerability — INK Official 9.9 Critical2024-10-23
CVE-2024-49671 WordPress AI Postpix plugin <= 1.1.8 - Arbitrary File Upload vulnerability — AI Image Generator for Your Content & Featured Images – AI Postpix 9.9 Critical2024-10-23
CVE-2024-49676 WordPress Custom Icons for Elementor plugin <= 0.3.3 - Arbitrary File Upload vulnerability — Custom Icons for Elementor 6.6 Medium2024-10-23
CVE-2024-10292 ZZCMS ChangeTable.php unrestricted upload — ZZCMS 6.3 Medium2024-10-23
CVE-2024-10201 Wellchoose Administrative Management System - Arbitrary File Upload — Administrative Management System 8.8 High2024-10-21
CVE-2024-49324 WordPress Sovratec Case Management plugin <= 1.0.0 - Arbitrary File Upload vulnerability — Sovratec Case Management 10.0 Critical2024-10-20
CVE-2024-49326 WordPress Affiliator plugin <= 2.1.3 - Arbitrary File Upload vulnerability — Affiliator 10.0 Critical2024-10-20
CVE-2024-49327 WordPress Woostagram Connect plugin <= 1.0.2 - Arbitrary File Upload vulnerability — Woostagram Connect 10.0 Critical2024-10-20
CVE-2024-49329 WordPress WP REST API FNS plugin <= 1.0.0 - Arbitrary File Upload vulnerability — WP REST API FNS 10.0 Critical2024-10-20
CVE-2024-49330 WordPress Nice Backgrounds plugin <= 1.0 - Arbitrary File Upload vulnerability — Nice Backgrounds 10.0 Critical2024-10-20
CVE-2024-49331 WordPress Property Lot Management System plugin <= 4.2.38 - Arbitrary File Upload vulnerability — Property Lot Management System 9.9 Critical2024-10-20
CVE-2024-49607 WordPress WP Dropbox Dropins plugin <= 1.0 - Arbitrary File Upload vulnerability — WP Dropbox Dropins 10.0 Critical2024-10-20
CVE-2024-49610 WordPress photokit plugin <= 1.0 - Arbitrary File Upload vulnerability — photokit 10.0 Critical2024-10-20
CVE-2024-49611 WordPress Product Website Showcase plugin <= 1.0 - Arbitrary File Upload vulnerability — Product Website Showcase 10.0 Critical2024-10-20
CVE-2024-10161 PHPGurukul Boat Booking System Update Boat Image Page change-image.php unrestricted upload — Boat Booking System 6.3 Medium2024-10-20
CVE-2024-10120 wfh45678 Radar upload unrestricted upload — Radar 7.3 High2024-10-18
CVE-2024-49291 WordPress Cooked Pro plugin < 1.8.0 - Unauthenticated Arbitrary File Upload vulnerability — Cooked Pro 10.0 Critical2024-10-17
CVE-2024-49314 WordPress JiangQie Free Mini Program plugin <= 2.5.2 - Arbitrary File Upload vulnerability — JiangQie Free Mini Program 10.0 Critical2024-10-17
CVE-2024-49398 Unrestricted Upload of File with Dangerous Type in Elvaco M-Bus Metering Gateway CMe3100 — M-Bus Metering Gateway CMe3100 9.8AICriticalAI2024-10-17
CVE-2024-48034 WordPress Creates 3D Flipbook, PDF Flipbook plugin <= 1.2 - Arbitrary File Upload vulnerability — Creates 3D Flipbook, PDF Flipbook 9.9 Critical2024-10-16
CVE-2024-49216 WordPress Feed Comments Number plugin <= 0.2.1 - Arbitrary File Upload vulnerability — Feed Comments Number 10.0 Critical2024-10-16
CVE-2024-49242 WordPress Digital Lottery plugin <= 3.0.5 - Arbitrary File Upload vulnerability — Digital Lottery 10.0 Critical2024-10-16
CVE-2024-49260 WordPress Limb Gallery plugin <= 1.5.7 - Arbitrary File Upload vulnerability — WordPress Gallery Plugin – Limb Image Gallery 9.9 Critical2024-10-16
CVE-2024-47649 WordPress Iconize plugin <= 1.2.4 - Remote Code Execution (RCE) vulnerability — Iconize 9.1 Critical2024-10-16
CVE-2024-48027 WordPress External featured image from bing plugin <= 1.0.2 - Remote Code Execution (RCE) vulnerability — External featured image from bing 9.9 Critical2024-10-16

Vulnerabilities classified as CWE-434 (危险类型文件的不加限制上传) represent 2041 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.