OpenPLC V3 Arbitrary File Upload Vulnerability

A vulnerability allowing arbitrary file uploads has been identified in OpenPLC V3. This issue could be exploited for malvertising or phishing campaigns. The vulnerability arises from insufficient validation of uploaded files, allowing any file type to be uploaded as a profile picture.

Impact

Exploitation of this vulnerability could lead to unauthorized file uploads, potentially allowing for the distribution of malicious content or phishing attempts.

Reproduction

The vulnerability can be reproduced by uploading a file through the application's profile picture upload feature. The original implementation does not restrict the file types, allowing any file to be uploaded. After the vulnerability was fixed, the upload feature was restricted to only accept JPEG, PNG, and GIF images.

Remediation

Users can update to the latest version of OpenPLC V3, where this vulnerability has been addressed. Instructions for downloading the updated version are available on the OpenPLC GitHub repository.