Hubert Imoveis e Administracao Ltda Hub Arbitrary File Upload Vulnerability Allowing Code Execution
Vulnerability
A vulnerability allowing arbitrary file upload has been identified in Hubert Imoveis e Administracao Ltda Hub version 2.0 1.27.3. This vulnerability resides in the '/utils/uploadFile' component, where the application fails to properly validate file types during the upload process. Users can upload files under the guise of an avatar, but the backend does not restrict the file type to images. While the system blocks certain dangerous file types, it inadvertently allows the upload of PDFs, which can be accessed via direct links and potentially exploited to execute arbitrary code.
Impact
Exploitation of this vulnerability could lead to unauthorized code execution on the server.
Reproduction
To reproduce this vulnerability, upload a PDF file through the avatar upload feature in the application. The file type will not be properly validated, allowing the PDF to be stored and accessed via a direct link.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.