Enilu Web-Flash Cross-Site Scripting Vulnerability in File Upload Component
Vulnerability
A cross-site scripting vulnerability has been identified in Enilu Web-Flash version 1.0. The issue arises in the File Upload component, specifically within the 'fileService.upload' function of the 'FileController'. The vulnerability is caused by inadequate validation of uploaded file suffixes, allowing unexpected files to be uploaded. This issue can be exploited remotely and has been publicly disclosed, with an available proof-of-concept exploit.
Impact
Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.
Reproduction
To reproduce this vulnerability, upload a file through the 'fileService.upload' function in the 'FileController' of Enilu Web-Flash 1.0. The upload process does not properly check the file suffix, enabling the inclusion of files that could inject malicious scripts.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.