Arbitrary Code Execution

Affecting blueimp-file-upload package, versions <9.22.1

high severity

Overview

blueimp-file-upload is a File Upload widget with multiple file selection, drag&drop support, progress bars, validation and preview images, audio and video for jQuery.

Affected versions of this package are vulnerable to Arbitrary Code Execution due to allowing the upload of arbitrary files. It did not require any validation to upload files to the server.

Remediation

Upgrade blueimp-file-upload to version 9.22.1 or higher.

References

Do your applications use this vulnerable package?

Credit
Larry W Cashdollar
CVE
CVE-2018-9206
CWE
CWE-434
Snyk ID
SNYK-JS-BLUEIMPFILEUPLOAD-72453
Disclosed
09 Oct, 2018
Published
15 Oct, 2018