Beakon Application Arbitrary File Upload Vulnerability Allowing Code Execution

A vulnerability allowing arbitrary file upload has been identified in Beakon Application versions prior to 5.4.3. This issue arises from inadequate validation of uploaded file types, enabling attackers to bypass restrictions and upload files containing malicious scripts. Once uploaded, these files can be accessed via specific URLs, where the scripts execute in the context of the user accessing the file, leading to cross-site scripting (XSS) attacks or phishing.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, which can be used to execute malicious code on the server or deliver phishing content to users.

Reproduction

To reproduce this vulnerability, upload a file with a crafted name that bypasses the application's file extension restrictions, such as by appending a dot to the allowed extension. Then, use the file preview feature with a parameter that disables the download option to access the uploaded file. This will trigger the execution of any embedded scripts in the file.