As a simple library, class.upload.php does not perform an in-depth check on uploaded files, allowing a stored XSS vulnerability when the default configuration is used.
Developers must be aware of that fact and use extension whitelisting accompanied by forcing the server to always provide content-type based on the file extension.
The README has been updated to include these guidelines.
References
| Link | Resource |
|---|---|
| https://cert.pl/en/posts/2024/01/CVE-2023-6551 | Third Party Advisory |
| https://cert.pl/en/posts/2024/01/CVE-2023-6551 | Third Party Advisory |
| https://cert.pl/posts/2024/01/CVE-2023-6551 | Third Party Advisory |
| https://cert.pl/posts/2024/01/CVE-2023-6551 | Third Party Advisory |
Configurations
History
10 Oct 2024, 16:15
| Type | Values Removed | Values Added |
|---|---|---|
| Summary | As a simple library, class.upload.php does not perform an in-depth check on uploaded files, allowing a stored XSS vulnerability when the default configuration is used. Developers must be aware of that fact and use extension whitelisting accompanied by forcing the server to always provide content-type based on the file extension. The README has been updated to include these guidelines. |
11 Jan 2024, 16:41
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:verot:class.upload.php:-:*:*:*:*:*:*:* | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.4 |
| First Time |
Verot
Verot class.upload.php |
|
| CWE | CWE-434 | |
| References | () https://cert.pl/posts/2024/01/CVE-2023-6551 - Third Party Advisory | |
| References | () https://cert.pl/en/posts/2024/01/CVE-2023-6551 - Third Party Advisory |
04 Jan 2024, 16:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2024-01-04 16:15
Updated : 2025-06-03 15:15
NVD link : CVE-2023-6551
Mitre link : CVE-2023-6551
JSON object : View
Products Affected
verot
- class.upload.php
CWE
CWE-434
Unrestricted Upload of File with Dangerous Type