Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-434 (危险类型文件的不加限制上传) — Vulnerability Class 2042

2042 vulnerabilities classified as CWE-434 (危险类型文件的不加限制上传). AI Chinese analysis included.

CWE-434 represents a critical input validation weakness where applications permit the upload of file types that are inherently dangerous or automatically processed by the system. Attackers typically exploit this vulnerability by uploading malicious scripts, such as web shells or executable binaries, disguised as legitimate documents or images. Once uploaded, these files are executed by the server, granting the attacker remote code execution capabilities and potentially full system compromise. To mitigate this risk, developers must implement strict allowlists that define only the specific, safe file extensions permitted for upload. Additionally, files should be stored outside the web root directory to prevent direct execution, and content verification techniques, such as checking file headers rather than relying solely on extensions, should be employed to ensure integrity and prevent evasion of basic validation checks.

MITRE CWE Description
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Common Consequences (1)
Integrity, Confidentiality, AvailabilityExecute Unauthorized Code or Commands
Arbitrary code execution is possible if an uploaded file is interpreted and executed as code by the recipient. This is especially true for web-server extensions such as .asp and .php because these file types are often treated as automatically executable, even when file system permissions do not spec…
Mitigations (5)
Architecture and DesignGenerate a new, unique filename for an uploaded file instead of using the user-supplied filename, so that no external input is used at all.[REF-422] [REF-423]
Architecture and DesignWhen the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
Architecture and DesignConsider storing the uploaded files outside of the web document root entirely. Then, use other mechanisms to deliver the files dynamically. [REF-423]
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
Architecture and DesignDefine a very limited set of allowable extensions and only generate filenames that end in these extensions. Consider the possibility of XSS (CWE-79) before allowing .html or .htm file types.
Examples (2)
The following code intends to allow a user to upload a picture to the web server. The HTML code that drives the form on the user end has an input field of type "file".
<form action="upload_picture.php" method="post" enctype="multipart/form-data"> Choose a file to upload: <input type="file" name="filename"/> <br/> <input type="submit" name="submit" value="Submit"/> </form>
Good · HTML
// Define the target location where the picture being // uploaded is going to be saved. $target = "pictures/" . basename($_FILES['uploadedfile']['name']); // Move the uploaded file to the new location. if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target)) { echo "The picture has been successfully uploaded."; } else { echo "There was an error uploading the picture, please try again."; }
Bad · PHP
The following code demonstrates the unrestricted upload of a file with a Java servlet and a path traversal vulnerability. The action attribute of an HTML form is sending the upload file request to the Java servlet.
<form action="FileUploadServlet" method="post" enctype="multipart/form-data"> Choose a file to upload: <input type="file" name="filename"/> <br/> <input type="submit" name="submit" value="Submit"/> </form>
Good · HTML
public class FileUploadServlet extends HttpServlet { ... protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("text/html"); PrintWriter out = response.getWriter(); String contentType = request.getContentType(); // the starting position of the boundary header int ind = contentType.indexOf("boundary="); String boundary = contentType.substring(ind+9); String pLine = new String(); String uploadLocation = new String(UPLOAD_DIRECTORY_STRING); //Constant value // verify that content type is multipart form data i
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2024-3437 SourceCodester Prison Management System Avatar add-admin.php unrestricted upload — Prison Management System 7.3 High2024-04-08
CVE-2024-3436 SourceCodester Prison Management System Avatar edit-photo.php unrestricted upload — Prison Management System 6.3 Medium2024-04-07
CVE-2024-31280 WordPress Church Admin plugin <= 4.1.5 - Arbitrary File Upload vulnerability — Church Admin 9.9 Critical2024-04-07
CVE-2024-31286 WordPress WP Photo Album Plus plugin < 8.6.03.005 - Arbitrary File Upload vulnerability — WP Photo Album Plus 9.9 Critical2024-04-07
CVE-2024-31292 WordPress Import XML and RSS Feeds plugin <= 2.1.5 - Arbitrary File Upload vulnerability — Import XML and RSS Feeds 7.2 High2024-04-07
CVE-2024-31345 WordPress Auto Poster plugin <= 1.2 - Arbitrary File Upload vulnerability — Auto Poster 9.1 Critical2024-04-07
CVE-2024-3369 code-projects Car Rental add-vehicle.php unrestricted upload — Car Rental 6.3 Medium2024-04-06
CVE-2024-31210 PHP file upload bypass via Plugin installer — wordpress-develop 7.7 High2024-04-04
CVE-2024-3022 BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin <= 1.0.87 - Authenticated (Admin+) Arbitrary File Upload — Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress 7.2 High2024-04-04
CVE-2024-27951 WordPress Multiple Page Generator Plugin <= 3.4.0 - Auth. Remote Code Execution (RCE) vulnerability — Multiple Page Generator Plugin – MPG 9.1 Critical2024-04-03
CVE-2024-3129 SourceCodester Image Accordion Gallery App add-image.php unrestricted upload — Image Accordion Gallery App 6.3 Medium2024-04-01
CVE-2024-30533 WordPress Layouts for Elementor plugin < 1.8 - Arbitrary File Upload vulnerability — Layouts for Elementor 7.5 High2024-03-31
CVE-2024-31114 WordPress Shortcode Addons <= 3.2.5 - Arbitrary File Upload vulnerability — Shortcode Addons 9.1 Critical2024-03-31
CVE-2024-31115 WordPress Chauffeur Taxi Booking System for WordPress plugin <= 7.2 - Arbitrary File Upload vulnerability — Chauffeur Taxi Booking System for WordPress 10.0 Critical2024-03-31
CVE-2024-3117 YouDianCMS ChannelAction.class.php unrestricted upload — YouDianCMS 4.7 Medium2024-03-31
CVE-2024-30510 WordPress Salon booking system plugin <= 9.5 - Arbitrary File Upload vulnerability — Salon booking system 10.0 Critical2024-03-29
CVE-2024-30500 WordPress CubeWP plugin <= 1.1.12 - Arbitrary File Upload vulnerability — CubeWP – All-in-One Dynamic Content Framework 9.9 Critical2024-03-29
CVE-2024-2890 WordPress Tumult Hype Animations plugin <= 1.9.12 - Arbitrary File Upload vulnerability — Tumult Hype Animations 9.1 Critical2024-03-28
CVE-2024-29100 WordPress AI Engine plugin <= 2.1.4 - Arbitrary File Upload vulnerability — AI Engine: ChatGPT Chatbot 9.1 Critical2024-03-28
CVE-2024-29891 ZITADEL Improper Content-Type Validation Leads to Account Takeover via Stored XSS + CSP Bypass — zitadel 8.7 High2024-03-27
CVE-2023-49815 WordPress WappPress plugin <= 5.0.3 - Unauthenticated Arbitrary File Upload vulnerability — WappPress 10.0 Critical2024-03-27
CVE-2024-1532 Hitachi Energy RTU500 安全漏洞 — RTU500 series CMU firmware 6.8 Medium2024-03-27
CVE-2024-1531 Hitachi Energy RTU500 安全漏洞 — RTU500 series CMU firmware 8.2 High2024-03-27
CVE-2024-2930 SourceCodester Music Gallery Site unrestricted upload — Music Gallery Site 7.3 High2024-03-26
CVE-2023-48777 WordPress Elementor plugin 3.3.0-3.18.1 - Arbitrary File Upload vulnerability — Elementor Website Builder 9.9 Critical2024-03-26
CVE-2023-48275 WordPress Widgets for Google Reviews plugin <= 11.0.2 - Arbitrary File Upload vulnerability — Widgets for Google Reviews 8.0 High2024-03-26
CVE-2023-39307 WordPress Avada theme <= 7.11.1 - Authenticated Arbitrary File Upload vulnerability — Avada 8.5 High2024-03-26
CVE-2023-38388 WordPress Jupiter X Core plugin <= 3.3.5 - Unauth. Arbitrary File Upload vulnerability — JupiterX Core 9.0 Critical2024-03-26
CVE-2023-47873 WordPress WP Child Theme Generator plugin <= 1.0.9 - Arbitrary File Upload vulnerability — WP Child Theme Generator 9.1 Critical2024-03-26
CVE-2023-47846 WordPress WP Githuber MD plugin <= 1.16.2 - Arbitrary File Upload vulnerability — WP Githuber MD 9.1 Critical2024-03-26

Vulnerabilities classified as CWE-434 (危险类型文件的不加限制上传) represent 2042 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.