Arbitrary Code Execution Affecting jquery-file-upload package, versions *


Severity

Recommended
0.0
low
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Mature
EPSS
1.17% (85th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary Code Execution vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-JQUERYFILEUPLOAD-72622
  • published22 Nov 2018
  • disclosed2 Nov 2018
  • creditUnknown

Introduced: 2 Nov 2018

CVE-2018-9207  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

There is no fix version for jquery-file-upload, however it is possible to use the core components safely so long as users do not implement the demo code found in the upload.php file.

Overview

jquery-file-upload provides Multiple file Uploads with progress bar.

Affected versions of this package contain demo code which is vulnerable to Arbitrary Code Execution due to allowing the upload of arbitrary files. It did not require any validation to upload files to the server. Using the upload.php demo code will leave users vulnerable.

CVSS Scores

version 3.1